Spring State machine Core vulnerabilities CVE-2013-4152, CVE-2013-7315, CVE-2014-0054, CVE-2014-0225

[patpatpat123]

Hello Spring State machine Team,

I just wanted to report an issue regarding CVEs found in this project.

Background:
I did two different tests
Test 1 - download this repository with branch 3.1.0
test 2 - use this project at version 3.1.0 in a Spring Boot 2.6.6 + Spring Cloud Jubilee 2021.0.1 web app project
(everything latest as of this writing)

For both, I run multiple static analysis tools, such as Back Duck, SonarQube, OWASP Dependency-Check, etc...

For both test, I am seeing those issues:
CVE-2013-4152
CVE-2013-7315
CVE-2014-0054
CVE-2014-0225

May I ask if it is possible to help fix those CVEs please?

This is not to make some static analysis tools happy, but rather to address some real security issues.

Thank you

[winfriedgerlach]

@fmbenhassine this ticket concerns 3.1.0 - can it be closed?

[patpatpat123]

There are CVEs on the latest version as well...

[fmbenhassine]

4.0.1 upgraded Spring Boot to the latest version 3.5.0 (which is compatible with previous versions for its usage in Spring State Machine). But I will check all these CVE before releasing 4.0.1.

[fmbenhassine]

Spring Statemachine 4.0.1 has been released and is based on Spring Boot 3.5.3 and Spring Framework 6.2.8 which do not include those CVEs. Thank you for reporting this.