Data quality issue with CVE-2024-38828

[Iandmee]

The CVE ID
https://osv.dev/vulnerability/CVE-2024-38828

Describe the data quality issue observed
If retrieve this issue by https://api.osv.dev/v1/vulns/GHSA-w3c8-7r8f-9jp8 you will receive versions e.g 6.1.13, 6.1.14 as affected. On the same page, you can see, that the affected range for org.springframework:spring-webmvc is actually >= 5.3.0 < 5.3.41.
According to the Spring framework the affected range is also >= 5.3.0 < 5.3.41.

Suggested changes to record
Fix affected versions here https://osv.dev/vulnerability/GHSA-w3c8-7r8f-9jp8 from 5.* and 6.* to the range >= 5.3.0 < 5.3.41

[github-actions]

✨ Thank you for your interest in OSV.dev's data quality! ✨

Please review our FAQ entry on how to most efficiently have this addressed.

[hogo6002]

Hi @Iandmee, thanks for reporting!

If retrieve this issue by https://api.osv.dev/v1/vulns/GHSA-w3c8-7r8f-9jp8 you will receive versions e.g 6.1.13, 6.1.14 as affected.

I think upstream just updated this record. Before, it didn't have the fixed version, so OSV marked all versions after the introduced version as affected. But they recently added the fixed version, so I will mark this issue as resolved.

Also, just so you know, OSV doesn't actually own the GHSA records, so upstream has to make the changes to fix them. If you see something like this again, it's best to report it to the upstream people who produce the records. Once they update it, OSV will automatically reimport the changes.