fix(deps): update spring.version [security] (major) #399
+1
−1
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.3.30.RELEASE
->6.0.0
4.3.30.RELEASE
->6.1.14
4.3.30.RELEASE
->5.2.22.RELEASE
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2016-1000027
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.
CVE-2024-22259
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.
CVE-2024-22262
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
CVE-2024-38809
Description
Applications that parse ETags from
If-Match
orIf-None-Match
request headers are vulnerable to DoS attack.Affected Spring Products and Versions
org.springframework:spring-web in versions
6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37
Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.
Users of older, unsupported versions could enforce a size limit on
If-Match
andIf-None-Match
headers, e.g. through a Filter.CVE-2022-22968
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. Versions 5.3.19 and 5.2.21 contain a patch for this issue.
CVE-2024-38820
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
CVE-2022-22965
Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as
Spring4Shell
.Impact
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
These are the prerequisites for the exploit:
spring-webmvc
orspring-webflux
dependencyPatches
Workarounds
For those who are unable to upgrade, leaked reports recommend setting
disallowedFields
onWebDataBinder
through an@ControllerAdvice
. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller setsdisallowedFields
locally through its own@InitBinder
method, which overrides the global setting.To apply the workaround in a more fail-safe way, applications could extend
RequestMappingHandlerAdapter
to update theWebDataBinder
at the end after all other initialization. In order to do that, a Spring Boot application can declare aWebMvcRegistrations
bean (Spring MVC) or aWebFluxRegistrations
bean (Spring WebFlux).CVE-2022-22970
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Release Notes
spring-projects/spring-framework (org.springframework:spring-web)
v6.0.0
Compare Source
See What's New in Spring Framework 6.x and Upgrading to Spring Framework 6.x for upgrade instructions and details of new features.
⭐ New Features
📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@ophiuhus and @wilkinsona
v5.3.39
Compare Source
⭐ New Features
v5.3.38
Compare Source
⭐ New Features
🐞 Bug Fixes
SimpleEvaluationContext
does not enforce read-only semantics #33320ConversionService
cannot convert primitive array toObject[]
#33314Indexer
silently ignores failure to set property as index #33312java.nio.file.Path
(and plain "." value resolves to classpath root) #33140📔 Documentation
🔨 Dependency Upgrades
v5.3.37
Compare Source
⭐ New Features
🐞 Bug Fixes
Map
with a primitive #32911Integer
#32909@EnableTransactionManagement
(mode = AdviceMode.ASPECTJ) #32885🔨 Dependency Upgrades
v5.3.36
Compare Source
🐞 Bug Fixes
@DateTimeFormat(iso = DateTimeFormat.ISO.DATE\_TIME)
cannot convert UTC without milliseconds tojava.util.Date
#32860@Configurable
aspect #32840v5.3.35
Compare Source
⭐ New Features
@Aspect
classes for Spring AOP proxy usage #32818🐞 Bug Fixes
MergedAnnotations
search does not find container for repeatable annotation #32751AnnotationConfigWebApplicationContext
should propagateApplicationStartup
toBeanFactory
#32749PropertiesPropertySource.getPropertyNames()
#32744📔 Documentation
ResponseCookie
#32668🔨 Dependency Upgrades
v5.3.34
Compare Source
⭐ New Features
JdbcUtils.getResultSetValue
#32603Annotation
array cloning inTypeDescriptor
#32477Annotation
array inTypeDescriptor
#32466🐞 Bug Fixes
MethodIntrospector.selectMethods()
fails to detect bridge methods across ApplicationContexts #32588🔨 Dependency Upgrades
v5.3.33
Compare Source
⭐ New Features
*HttpMessageConverter#getContentLength
return value null safety #32332🐞 Bug Fixes
📔 Documentation
5.3.x
Spring Framework Javadoc #32414🔨 Dependency Upgrades
v5.3.32
Compare Source
⭐ New Features
🐞 Bug Fixes
MergedAnnotations
finds duplicate annotations on method in multi-level interface hierarchy #31825Query.scroll()
inSharedEntityManagerCreator
'squeryTerminatingMethods
set #31684equals
method (for ConversionService caching) #31674📔 Documentation
🔨 Dependency Upgrades
v5.3.31
Compare Source
⭐ New Features
Log4jLog
needs to re-resolveExtendedLogger
on deserialization (for compatibility with Log4J 2.21) #31583🐞 Bug Fixes
@Nullable
#31611PathMatchingResourcePatternResolver
on MS Windows #31603SqlOutParameter
#31560BeanCopier
falls back toClassLoader.defineClass
for public target #31436HibernateJpaDialect
andHibernateExceptionTranslator
throwSQLExceptionTranslator
-provided exception instead of returning it #31410NamedParameterJdbcTemplate
throws unexpected exception fornull
query #31394LazyResolutionMessage
does not implement propertoString
#31385ContextOverridingClassLoader.isEligibleForOverriding
#31233📔 Documentation
@Transactional
on interfaces #31401@Bean
method in a@Configuration
class'@PostConstruct
method leads to circular reference #31339🔨 Dependency Upgrades
v5.3.30
Compare Source
⭐ New Features
ClassUtils#getMostSpecificMethod
#31100StringUtils
#31069PayloadMethodArgumentResolver
#31056ReactiveAdapterRegistry
#31048@Autowired
methods on same bean class #30994🐞 Bug Fixes
LogFactory
implementation deviates from original ApacheLogFactory
in terms of abstract method declarations #31167nullSafeConciseToString()
invokingisEmpty()
on aMap
/Collection
proxy #31156@DynamicPropertySource
in@Nested
test class cannot override dynamic properties from enclosing class #31085TransactionalApplicationListenerMethodAdapter
should find@TransactionalEventListener
on target class method #31037ClassInfo
caching injava.beans.Introspector
on JDK 11/17 #31005MethodIntrospector.selectMethods(?)
fails to find methods in case of special bridge method arrangement #30907📔 Documentation
ConnectionAccessor
andDatabasePopulator
exception declarations #30933@PostConstruct
through SmartInitializingSingleton or ContextRefreshedEvent #30889v5.3.29
Compare Source
⭐ New Features
JdbcTemplate
does not callhandleWarnings
in case of exception #30852AnnotationUtils.isCandidateClass
call withnull
as annotation type #30843DefaultSingletonBeanRegistry.isDependent()
#30841ObjectUtils.nullSafeConciseToString()
#30811ObjectUtils.nullSafeConciseToString()
#30806ResolvableType.hasUnresolvableGenerics()
should cache its result #30715LogFactory
contains all public methods from ApacheLogFactory
#30711🐞 Bug Fixes
toString()
inFieldError
#30800@TransactionalEventListener
#30784Jackson2ObjectMapperBuilder
breaks whenmodules
customizer followsmodulesToInstall
#30752📔 Documentation
ReactiveTransactionManager
exception declarations #30819JdbcTransactionManager
vsDataSourceTransactionManager
#30814🔨 Dependency Upgrades
v5.3.28
Compare Source
⭐ New Features
@Nullable
#30672Environment.matchesProfiles()
for profile expressions #30226🐞 Bug Fixes
@Bean
method that returnsnull
,@Autowired
injectsNullBean
instead ofnull
for cached arguments #30551📔 Documentation
@Scheduled
attributes support SpEL expressions #30642🔨 Dependency Upgrades
v5.3.27
Compare Source
⭐ New Features
StringUtils.truncate()
#30291ObjectUtils.nullSafeConciseToString()
#30287HttpComponentsHeadersAdapter#getFirst
nullable #30269🐞 Bug Fixes
AbstractMessageWriterResultHandler
#30215SharedEntityManagerCreator
#30164📔 Documentation
@PathVariable
reference documentation code snippets #30258@EnableWebSocket
#30187🔨 Dependency Upgrades
v5.3.26
Compare Source
⭐ New Features
matches
operator #30145matches
operator #30141@Nullable
annotations toLogMessage.format
methods #30009MockMvc.multipart()
Kotlin extensions withHttpMethod
#29941@JmsListener
subscription #29902SharedEntityManagerCreator
'squeryTerminatingMethods
set #29888DatabaseClient
is eagerly invoked #29887Jackson2ObjectMapperBuilder#configureFeature
exception handling #29860🐞 Bug Fixes
java.lang.Object
on a JDK proxy #30118forwarding-header-strategy=native
or cloud platform detected #29974Jetty10RequestUpgradeStrategy
#29256📔 Documentation
@AspectJ
argument name resolution algorithm is outdated in reference manual #30057@Bean
method return type for equivalence with XML example #29970@DynamicPropertySource
examples regarding changes in Testcontainers #29940primitivesDefaultedForNullValue
inBeanPropertyRowMapper
#29926DataClassRowMapper
supports Java records #29922🔨 Dependency Upgrades
v5.3.25
Compare Source
⭐ New Features
🐞 Bug Fixes
ConstructorReference
does not generate AST representation of arrays #29666String
literal (and vice versa) #29653WebMvcConfigurationSupport
should not catchThrowable
forSourceHttpMessageConverter
#29537📔 Documentation
🔨 Dependency Upgrades
v5.3.24
Compare Source
⭐ New Features
null
WebSocket session attributes #29315🐞 Bug Fixes
📔 Documentation
webjars-locator-core
dependency #29322🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.3.23
Compare Source
⭐ New Features
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.