3

I can see CVE-2016-1000027 has a vulnurability for spring web versions below 6.0.0. Im looking for a dependency fix in java 8 version as spring web 6.0 is only compatible with java 17

Farhaan Shaik
  • 123
  • 1
  • 2
  • 8
  • 3
    Make sure there are [no HTTP Invoker endpoints exposed to untrusted clients](https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626) - Just because a some tool is saying so, it doesn't mean you are actually affected. – dan1st Dec 20 '22 at 11:54
  • i know but i atleast need to cheat the tool to continue my work. any other way to fix this dependency issue – Farhaan Shaik Dec 20 '22 at 12:00
  • Maybe make sure you are using the latest Spring 5.x version version? – dan1st Dec 20 '22 at 12:07
  • 1
    And aside from that, you _might_ want to consider switching away from Java 8 anyways... – dan1st Dec 20 '22 at 12:44
  • 3
    According to https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525 this is most likely a false flag. I.e. there's no active vulnerability that this CVE describes that applies to recent Spring versions. – Joachim Sauer Dec 20 '22 at 13:44
  • @JoachimSauer this should be the accepted answer. – CrazyPyro Aug 27 '23 at 15:02

2 Answers2

0

Actually, even the latest 5.x version of spring still get this issue. I try to upgrade to 6.0 and upgrade my java to 17 and now new errors occurs.

watcher0123
  • 11
  • I found this and says that it will resolve the problem but you might need to use Linux OS for this. https://security-tracker.debian.org/tracker/CVE-2016-1000027 – watcher0123 Dec 22 '22 at 03:54
  • Welcome to Stackoverflow! When you add an answer, it's best to add all of the information in there. I see you have added a comment with some extra info, but please edit your question to contain the information from your comment. That makes your answer more readable and useful! :) – Koedlt Dec 23 '22 at 20:18
0

In my office also facing same issue, the code scanner failed due any spring boot deps required spring web 5, and we tried to migrate to spring boot 3 and now its working fine. this article my help you also: https://javatechonline.com/how-to-migrate-spring-boot-2-to-spring-boot-3/

HermanW
  • 19
  • 1
  • 2