Missing data for org.springframework/spring-web@5.3.38 (CRITICAL + MEDIUM)

[vmulas]

Describe the bug
OSV doesn't return any vulnerability for the following component:

org.springframework/spring-web@5.3.38

One of the vulnerabilities is CRITICAL (CVE-2016-1000027), score 9.8.

To Reproduce
Steps to reproduce the behaviour:
OSV query (Missing data):

curl -s -X POST https://api.osv.dev/v1/query -H "Content-Type: application/json" -d '{                                                 
  "package": {
    "purl": "pkg:maven/org.springframework/spring-web@5.3.38?type=jar"
  }
}' | jq .

{}

OSS Index query (Correct data):

curl -s https://ossindex.sonatype.org/api/v3/component-report/pkg:maven/org.springframework/spring-web@5.3.38 | jq . 
  
{
  "coordinates": "pkg:maven/org.springframework/spring-web@5.3.38",
  "description": "",
  "reference": "https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-web@5.3.38?utm_source=curl&utm_medium=integration&utm_content=8.7.1",
  "vulnerabilities": [
    {
      "id": "CVE-2016-1000027",
      "displayName": "CVE-2016-1000027",
      "title": "[CVE-2016-1000027] CWE-502: Deserialization of Untrusted Data",
      "description": "Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.",
      "cvssScore": 9.8,
      "cvssVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "cwe": "CWE-502",
      "cve": "CVE-2016-1000027",
      "reference": "https://ossindex.sonatype.org/vulnerability/CVE-2016-1000027?component-type=maven&component-name=org.springframework%2Fspring-web&utm_source=curl&utm_medium=integration&utm_content=8.7.1",
      "externalReferences": [
        "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027",
        "https://github.com/spring-projects/spring-framework/issues/24434",
        "https://blog.gypsyengineer.com/en/security/detecting-dangerous-spring-exporters-with-codeql.html",
        "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027",
        "https://www.tenable.com/security/research/tra-2016-20"
      ]
    },
    {
      "id": "CVE-2024-38828",
      "displayName": "CVE-2024-38828",
      "title": "[CVE-2024-38828] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')",
      "description": "Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.",
      "cvssScore": 6.9,
      "cvssVector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "cwe": "CWE-400",
      "cve": "CVE-2024-38828",
      "reference": "https://ossindex.sonatype.org/vulnerability/CVE-2024-38828?component-type=maven&component-name=org.springframework%2Fspring-web&utm_source=curl&utm_medium=integration&utm_content=8.7.1",
      "externalReferences": [
        "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-38828",
        "https://spring.io/blog/2024/11/15/spring-framework-cve-2024-38828-published",
        "https://spring.io/security/cve-2024-38828"
      ]
    }
  ],
  "sonatypeOssiScore": 9.9
}

Additional context
https://ossindex.sonatype.org/component/pkg:maven/org.springframework/spring-web@5.3.38?utm_source=curl&utm_medium=integration&utm_content=8.7.1

[oliverchang]

Thanks for the report!

We do have this advisory in https://osv.dev/vulnerability/GHSA-4wrc-f8pq-fpqp

It looks like we missed the "5.3.38" version somehow in our version enumeration, leading to your query not returning any results. We've now fixed this particular entry, so now your query returns the expected result:

curl -s -X POST https://api.osv.dev/v1/query -H "Content-Type: application/json" -d '{                                                 
  "package": {
    "purl": "pkg:maven/org.springframework/spring-web@5.3.38?type=jar"
  }
}' | jq .

{
  "vulns": [
    {
      "id": "GHSA-4wrc-f8pq-fpqp",
...

@hogo6002 Should we look at doing range queries for all ecosystems on OSV to fix these issues completely?

[hogo6002]

Should we look at doing range queries for all ecosystems on OSV to fix these issues completely?

We can switch all non-semver ecosystems first to use range queries (except Ubuntu, as we get enumerated versions from upstream which should be more reliable, plus we have a large number of records there).

I will create a different issue to track this

[hogo6002]

Issue tracking for range queries: #3063