fix(deps): update dependency org.springframework:spring-webmvc to v6 [security] #228
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.3.30.RELEASE
->6.1.13
GitHub Vulnerability Alerts
CVE-2022-22965
Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as
Spring4Shell
.Impact
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
These are the prerequisites for the exploit:
spring-webmvc
orspring-webflux
dependencyPatches
Workarounds
For those who are unable to upgrade, leaked reports recommend setting
disallowedFields
onWebDataBinder
through an@ControllerAdvice
. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller setsdisallowedFields
locally through its own@InitBinder
method, which overrides the global setting.To apply the workaround in a more fail-safe way, applications could extend
RequestMappingHandlerAdapter
to update theWebDataBinder
at the end after all other initialization. In order to do that, a Spring Boot application can declare aWebMvcRegistrations
bean (Spring MVC) or aWebFluxRegistrations
bean (Spring WebFlux).CVE-2024-38816
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:
However, malicious requests are blocked and rejected when any of the following is true:
CVE-2024-38828
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
Release Notes
spring-projects/spring-framework (org.springframework:spring-webmvc)
v6.1.13
Compare Source
⭐ New Features
result
inWebAsyncManager
#33406🐞 Bug Fixes
Rendering
#33498📔 Documentation
-debug
compiler flag in reference manual #33453@ImportResource
in the reference manual #33446@RequestBody
#33409🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@dancer1325, @izeye, and @yfoel
v6.1.12
Compare Source
⭐ New Features
@javax.inject.Named
annotation #33345🐞 Bug Fixes
SimpleEvaluationContext
does not enforce read-only semantics #33319Object[]
when invoking varargs method #33317Indexer
silently ignores failure to set property as index #33310@Scheduled
method in test class not supported anymore #33286@JmsListener
response messages #33221ConversionService
cannot convert primitive array toObject[]
#33212@Cacheable
#33210MethodHandle
function with a primitive array #33198AopUtils
#33045📔 Documentation
RestClient
documentation #33350🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@GoncaloPT, @crusherd, @genuss, @kashike, @ngocnhan-tran1996, @olbinski, @pcvolkmer, @sheip9, @tafjwr, and @underbell
v6.1.11
Compare Source
⭐ New Features
MethodHandle
is notnull
in SpEL'sReflectionHelper
#33193PrematureCloseException
during response #33127getTypeForFactoryMethod
should catchNoClassDefFoundError
#33075🐞 Bug Fixes
MethodHandle
function with an array #33191MethodHandle
function with zero variable arguments #33190java.nio.file.Path
(and plain "." value resolves to classpath root) #33124@Transactional
#33095LocalContainerEntityManagerFactoryBean
initialization fails in case of null bean definition #33082ReactorNettyClientRequest.convertException
should include original exception if cause isnull
#33080Object...
varargs method #33013📔 Documentation
ModelMap
is not a supported argument type in WebFlux #33107InputStreamResource
for content length bypass #33089🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@TAKETODAY, @hunhee98, @imvtsl, @snussbaumer, and @zizare
v6.1.10
Compare Source
⭐ New Features
PersistenceExceptionTranslator
bean retrieval inPersistenceExceptionTranslationInterceptor
on shutdown #33067DisconnectedClientHelper
#33064🐞 Bug Fixes
@Autowired
@Bean
method with@Value
parameter #33030📔 Documentation
❤️ Contributors
Thank you to all the contributors who worked on this release:
@tafjwr
v6.1.9
Compare Source
⭐ New Features
@TenantId
#32967🐞 Bug Fixes
canEncode()
forJAXBElement
inJaxb2XmlEncoder
#32977@Valid
annotations on container elements for handler argument validation not supported #32964StringUtils#cleanPath
#32962@CacheEvict
condition uses wrapper comparison instead of actual objects #32960ReactorResourceFactory
not working with CRaC onRefresh checkpoint #32945Integer
#32908Map
with a primitive #32903@EnableTransactionManagement
(mode = AdviceMode.ASPECTJ) #32882📔 Documentation
RegisterReflectionForBinding
Javadoc #32947MethodValidationPostProcessor
is missing astatic
keyword #32929KotlinDetector.isKotlinType
documentation for Kotlin 2.x lambdas #32905🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@Attacktive, @Seungpang, @deblockt, @hlmg, @ozooxo, @soglad, and @ypyf
v6.1.8
Compare Source
⭐ New Features
🐞 Bug Fixes
@DateTimeFormat(iso = DateTimeFormat.ISO.DATE\_TIME)
cannot convert UTC without milliseconds tojava.util.Date
#32856@Configurable
aspect #32838📔 Documentation
❤️ Contributors
Thank you to all the contributors who worked on this release:
@rwinch
v6.1.7
Compare Source
⭐ New Features
@Aspect
classes for Spring AOP proxy usage #32793🐞 Bug Fixes
AnnotationConfigWebApplicationContext
should propagateApplicationStartup
toBeanFactory
#32747PropertiesPropertySource.getPropertyNames()
#32742MergedAnnotations
search does not find container for repeatable annotation #32731ScopedProxyMode.TARGET\_CLASS
and advisors #32669📔 Documentation
ResponseCookie
#32663Flux<T>
return values #32630factory-method
does not always determine correct target type #32091@Order
behavior on types, bean methods, and config classes #30177@Transactional
re-entrant calls) #28299🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@LeMikaelF, @Seungpang, @izeye, @m4tt30c91, @remeio, and @yhao3
v6.1.6
Compare Source
⭐ New Features
JdbcUtils.getResultSetValue
#32601FactoryBean
type matching when usinggetBeanProvider
#32590@RequestParam
binding does not support params with an empty array "[]" suffix #32577Annotation
array cloning inTypeDescriptor
#32476Annotation
array inTypeDescriptor
#32405🐞 Bug Fixes
MethodIntrospector.selectMethods()
fails to detect bridge methods across ApplicationContexts #32586CompoundExpression
omits null-safe syntax in AST string representation of null-safe selection/projection in SpEL #32515FactoryBean
class not autowired in case oftargetType
mismatch #32489HeaderContentNegotiationStrategy.resolveMediaTypes()
throws unexpectedInvalidMimeTypeException
#32483📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@Banuelorigni, @LinorDolev, @T45K, @izeye, @kilink, @quaff, and @qww1552
v6.1.5
Compare Source
⭐ New Features
ServletServerHttpResponse
#32361\*HttpMessageConverter#getContentLength
return value null safety #32325🐞 Bug Fixes
boolean
array #32400@Cacheable
#32370ServletResponseHttpHeaders#get
null handling #32362#root
or#this
is a non-public type #32356value class
parameters #32353constructor-impl
of Kotlinvalue class
is not called #32324HHH-17643
#32311📔 Documentation
@Sql
execution phases regarding lifecycle #32343TransactionAspectSupport.currentTransactionStatus().transactionName
#32310@RequestScope
and similar use cases) #32287userDestinationPrefix
inMessageBrokerRegistry
#32272🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@Xednar, @ZeroCyan, @bsgrd, @ddaaac, @kilink, @qeeqez, and @quaff
v6.1.4
Compare Source
⭐ New Features
SpelMessage.INCORRECT\_NUMBER\_OF\_ARGUMENTS\_TO\_FUNCTION
#32239NonReactiveHandlerMethodPredicate
#32227phase
value configurable in STOMP message handling components #32205BeanPropertyRowMapper
subclasses customize mapped names #32199JdbcClient
#32161@FunctionalInterface
#32135SimpleJdbcInsert
with catalog name #32124MapPropertySource
forDynamicValuesPropertySource
implementation (as a template for custom variants) #32110validationGroups
every time the calConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.