## Security Vulnerability Report
### Summary
The current JRI version includes Spring Framework 5.3.39 which contains known security vulnerabilities. We request an update to Spring Framework 5.3.41 or later to address these CVEs.
### Affected Versions
- **JRI 3.0.0** (JasperReports 7.0.1) - Contains Spring Core 5.3.39
- **JRI 2.10.1** (JasperReports 6.20.0) - Contains Spring Core 5.3.37
### Vulnerabilities Identified
#### CVE-2024-38816: Path Traversal (High Severity)
- **CVSS Score**: High
- **Fixed in**: Spring Framework >= 5.3.40 / 6.0.x >= 6.0.24 / 6.1.x >= 6.1.13
- **Description**: Path traversal vulnerability in RouterFunctions or FileSystemResource
- **Status**: Not applicable to JRI (JRI doesn't use RouterFunctions), but should be fixed for completeness
#### CVE-2024-38819: Path Traversal in Functional Web Frameworks (High Severity)
- **CVSS Score**: High
- **Fixed in**: Spring Framework >= 5.3.40 / 6.0.x >= 6.0.24 / 6.1.x >= 6.1.13
- **Description**: Path traversal vulnerability in functional web frameworks
- **Status**: Not applicable to JRI (JRI doesn't use RouterFunctions), but should be fixed for completeness
#### CVE-2024-38820: Case Insensitivity in DataBinder DisallowedFields (Medium Severity)
- **CVSS Score**: Medium (Low in our application context)
- **Fixed in**: Spring Framework >= 5.3.41 / 6.0.x >= 6.0.25 / 6.1.x >= 6.1.14
- **Description**: Case insensitivity pitfall in DataBinder DisallowedFields
- **Status**: **APPLICABLE** - Requires fix
#### CVE-2024-38808: Spring Expression DoS Vulnerability (Medium Severity)
- **CVSS Score**: Medium
- **Fixed in**: Spring Framework >= 5.3.40 / 6.0.x >= 6.0.24 / 6.1.x >= 6.1.13
- **Description**: Spring Expression Language (SpEL) denial of service vulnerability
- **Status**: Not applicable to JRI (JRI doesn't use SpEL), but should be fixed for completeness
### Current State
- **Spring Core Version in JRI 3.0.0**: 5.3.39
- **Spring Core Version in JRI 2.10.1**: 5.3.37
- **Required Version**: 5.3.41 or later (minimum for CVE-2024-38820)
### Requested Action
Please update Spring Framework dependencies to version **5.3.41 or later** in the next JRI release.
### Impact
While some CVEs may not be directly applicable to JRI's usage patterns, updating to the latest secure version is a security best practice and ensures:
- Protection against all known vulnerabilities
- Compliance with security scanning requirements
- Future-proofing against potential issues
### Additional Context
- Spring Framework 5.3.x reached end-of-life for OSS support on August 31, 2024, but still receives security patches
- The latest Spring Framework 5.3.x version with all security fixes is 5.3.41+
- Maven Central repository has the updated versions available: https://repo1.maven.org/maven2/org/springframework/spring-core/
### References
- Spring Security Advisories: https://spring.io/security
- CVE-2024-38816: https://nvd.nist.gov/vuln/detail/CVE-2024-38816
- CVE-2024-38819: https://nvd.nist.gov/vuln/detail/CVE-2024-38819
- CVE-2024-38820: https://nvd.nist.gov/vuln/detail/CVE-2024-38820
- CVE-2024-38808: https://nvd.nist.gov/vuln/detail/CVE-2024-38808
### Environment
- **JRI Version**: 3.0.0 (also affects 2.10.1)
- **JasperReports Version**: 7.0.1 (in JRI 3.0.0)
- **Application Server**: Apache Tomcat
- **Java Version**: [Your Java version if relevant]
### Additional Notes
We understand that JRI is an open-source project and appreciate the work done by the maintainer. We are willing to:
- Test the updated version once available
- Provide feedback on compatibility
- Contribute to testing efforts if needed
Thank you for maintaining this excellent integration tool!
---
**Labels to add** (if available):
- `security`
- `enhancement`
- `dependencies`
