javaspring-bootsecurityversionspring-webmvc

Vulnerabilities in spring-webmvc-5.3.39 to 5.3.40


I'm using Spring Web MVC v5.3.39 and I'm affected by vulnerability CVE-2024-38816. According to the advisory message of GitHub, I should update to Spring Web MVC v5.3.40.

However, I can't find the artifact for Spring Web MVC v5.3.40. Neither can I find it on mvnrepository.com.

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-webmvc</artifactId>
    <version>5.3.40</version> <!-- This fails -->
</dependency>
implementation 'org.springframework:spring-webmvc:5.3.40' //This fails

How should this issue be resolved?


Solution

  • Spring 5.3.x Open Source Support ended on August 31th 2024 (source). This means that v5.3.40 is only available for commercial support, and can't be found on a central Maven repository (source).

    If you don't have commercial support, you're supposed to update to Spring 6.1.13 (Spring Boot 3.x), which does exist on central Maven repositories.

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>6.1.13</version> <!-- This works -->
    </dependency>
    
    implementation 'org.springframework:spring-webmvc:6.1.13' //This works