fix(deps): update dependency org.springframework:spring-beans to v5 [security] #236
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.3.30.RELEASE
->5.2.22.RELEASE
GitHub Vulnerability Alerts
CVE-2022-22965
Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as
Spring4Shell
.Impact
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
These are the prerequisites for the exploit:
spring-webmvc
orspring-webflux
dependencyPatches
Workarounds
For those who are unable to upgrade, leaked reports recommend setting
disallowedFields
onWebDataBinder
through an@ControllerAdvice
. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller setsdisallowedFields
locally through its own@InitBinder
method, which overrides the global setting.To apply the workaround in a more fail-safe way, applications could extend
RequestMappingHandlerAdapter
to update theWebDataBinder
at the end after all other initialization. In order to do that, a Spring Boot application can declare aWebMvcRegistrations
bean (Spring MVC) or aWebFluxRegistrations
bean (Spring WebFlux).CVE-2022-22970
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Release Notes
spring-projects/spring-framework (org.springframework:spring-beans)
v5.2.22.RELEASE
Compare Source
⭐ New Features
🐞 Bug Fixes
v5.2.21.RELEASE
Compare Source
⭐ New Features
🐞 Bug Fixes
v5.2.20.RELEASE
Compare Source
⭐ New Features
v5.2.19.RELEASE
Compare Source
⭐ New Features
🐞 Bug Fixes
📔 Documentation
🔨 Dependency Upgrades
v5.2.18.RELEASE
Compare Source
⭐ New Features
🐞 Bug Fixes
🔨 Dependency Upgrades
v5.2.17.RELEASE
Compare Source
⭐ New Features
🐞 Bug Fixes
📔 Documentation
prepareTestInstance()
is invoked when using theSpringMethodRule
#27312🔨 Dependency Upgrades
v5.2.16.RELEASE
Compare Source
⭐ New Features
🪲 Bug Fixes
📔 Documentation
@Transactional
examples regarding method visibility #27005@Transactional
docs regarding method visibility #27004@TransactionalEventListener
after completion methods #26979🔨 Dependency Upgrades
v5.2.15.RELEASE
Compare Source
⭐ New Features
🪲 Bug Fixes
@ModelAttribute(binding=false)
is not honored with WebFlux #26888📔 Documentation
🔨 Dependency Upgrades
v5.2.14.RELEASE
Compare Source
⭐ New Features
🪲 Bug Fixes
@DirtiesContext
not applied when class-level@EnabledIf
evaluates to false #26697@CrossOrigin
maxAge value should override global value #26620@Component
#26584🔨 Dependency Upgrades
v5.2.13.RELEASE
Compare Source
⭐ New Features
🪲 Bug Fixes
@Nullable
value but throws NullPointerException #26277📔 Documentation
🔨 Dependency Upgrades
v5.2.12.RELEASE
Compare Source
⭐ New Features
🪲 Bug Fixes
📔 Documentation
@Transactional
does not propagate to new threads #26102🔨 Dependency Upgrades
v5.2.11.RELEASE
Compare Source
⭐ New Features
🪲 Bug Fixes
📔 Documentation
v5.2.10.RELEASE
Compare Source
⭐ New Features
@RequestPart
multipart controllers with Servlet MockPart #25829🪲 Bug Fixes
@ActiveProfiles
with same profiles but different order results in duplicate ApplicationContext #25973📔 Documentation
🔨 Dependency Upgrades
v5.2.9.RELEASE
Compare Source
⭐ New Features
@FunctionalInterface
#25571🪲 Bug Fixes
@RestControllerAdvice
annotation attributes #25520@Bean
method with name mismatch causes bean to be created twice (in case of ASM processing) #25263📔 Documentation
@RestController
and Webflux #25596@Bean
javadoc and ConfigurationClassEnhancer #25590@RequestMapping
#params #25482🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.2.8.RELEASE
Compare Source
⭐ New Features
🪲 Bug fixes
📔 Documentation
🔨 Dependency upgrades
❤️ Contributors
We’d like to thank all the contributors who worked on our current release!
v5.2.7.RELEASE
Compare Source
⭐ New Features
@Aspect
#25186🪲 Bug Fixes
📔 Documentation
@Lookup
annotation #25044@PathVariable
declarations in examples in webmvc.adoc #25006🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.2.6.RELEASE
Compare Source
⭐ New Features
@Nullable
#24839🪲 Bug Fixes
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.