Expand my Community achievements bar.

SOLVED

Issue with spring vulnerabilities in AEM

Avatar

Level 1
Level 1
11/13/25 3:03:08 AM

Hi Team,

 

Facing issue with below vulnerability in AEM server - 

 

Any idea which service pack / hotfix this vulnerability got fixed ? 

 

My current AEM version is AEM 6.5.21 

 

This jar is embedded as part of com.adobe.cq.dam.cq-scene7-imaging

 

Spring Framework Path Traversal Vulnerability
 Vulnerability Result:

<server-path>/felix/bundle388/version0.1/bundle.jar-embedded/spring-webmvc-5.3.28.jar
<server-path>/felix/bundle388/version0.1/bundle.jar-embedded/spring-webmvc-5.3.28.jar

fixed in 5.3.40, 6.0.24, 6.1.13

Any Suggestions are welcome 

Thanks

Views

221

Replies

3
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
11/13/25 5:14:30 AM

Hello @Prath_AEM ,

 

- The CVE associated with this vulnerability is CVE-2024-38856, fixed by Spring in 5.3.40 and later.

-  From the internal AEM release notes and patch tracking (as per Adobe’s vulnerability fix cadence):

  • The update to Spring WebMVC 5.3.40 is planned for rollout in AEM 6.5.22.0, released around October 2024.
  • This was included in the cumulative updates for several dependencies embedded in Cloud Service and 6.5.x line.
    For 6.5 on-prem, the fix shipped as part of Service Pack 22 (AEM 6.5.22.0).
  • You should upgrade from AEM 6.5.21 -> AEM 6.5.22.0 (Service Pack 22).
  • “AEM 6.5.22.0 Release Notes”: it lists dependency updates including spring-* libraries embedded in several DAM bundles.

View solution in original post

Views

185

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
3 Replies

Avatar

Employee
Employee
11/13/25 4:17:26 AM

Hi @Prath_AEM 

Can you upgrade to the latest version 6.5.23 and give it a try? This looks like is fixed in the latest version.

Views

199

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
11/13/25 5:14:30 AM

Hello @Prath_AEM ,

 

- The CVE associated with this vulnerability is CVE-2024-38856, fixed by Spring in 5.3.40 and later.

-  From the internal AEM release notes and patch tracking (as per Adobe’s vulnerability fix cadence):

  • The update to Spring WebMVC 5.3.40 is planned for rollout in AEM 6.5.22.0, released around October 2024.
  • This was included in the cumulative updates for several dependencies embedded in Cloud Service and 6.5.x line.
    For 6.5 on-prem, the fix shipped as part of Service Pack 22 (AEM 6.5.22.0).
  • You should upgrade from AEM 6.5.21 -> AEM 6.5.22.0 (Service Pack 22).
  • “AEM 6.5.22.0 Release Notes”: it lists dependency updates including spring-* libraries embedded in several DAM bundles.

Views

186

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Employee Advisor
Employee Advisor
11/13/25 5:57:31 AM
In response to ManviSharma

Hello @Prath_AEM ,

 

If the answer resolves your query, kindly mark It has correct.

 

Thankyou.

 

Happy to help 🙂

Views

167

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
How to build dependency between cq:tags in the metadata schema form?

Views

59

Likes

0

Replies

3
Upgrading to Java 21 for AEM : Baseline MAJOR Error due to META-INF/maven resource change after upgrading bnd from 5.1.2 to 6.4.0

Views

51

Likes

0

Replies

0
AEM Security Vulnerability

Views

61

Likes

0

Replies

0
Aem Login form to authenticate against microsoft entra id

Views

98

Likes

0

Replies

2
Adobe EDS - Does helix-query.yaml in project repository still works?

Views

192

Likes

0

Replies

5