security(deps): update 🛡️ org.springframework:spring-web to v6.0.19 [security] - autoclosed #48
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.0.11
->6.0.19
GitHub Vulnerability Alerts
CVE-2024-22243
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.
CVE-2024-22259
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.
Spring Web vulnerable to Open Redirect or Server Side Request Forgery
CVE-2024-22243 / GHSA-ccgv-vj62-xf9h
More information
Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring Framework URL Parsing with Host Validation Vulnerability
CVE-2024-22259 / GHSA-hgjh-9rj2-g67j
More information
Details
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring Framework URL Parsing with Host Validation
CVE-2024-22262 / GHSA-2wrp-6fg6-hmc5
More information
Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
spring-projects/spring-framework (org.springframework:spring-web)
v6.0.19
Compare Source
v6.0.18
Compare Source
v6.0.17
Compare Source
⭐ New Features
🐞 Bug Fixes
@JsonDeserialize(builder = ...)
does not work in GraalVM native image #32257ExecutorService
Bean type #32017📔 Documentation
🔨 Dependency Upgrades
v6.0.16
Compare Source
⭐ New Features
🐞 Bug Fixes
@Async
does not supportUnit?
return type #31891StringDecoder
when splitting input by delimiters. #31859📔 Documentation
ContentRequestMatchers#multipartData
Javadoc #31989🔨 Dependency Upgrades
v6.0.15
Compare Source
⭐ New Features
StreamUtils.copy(String)
#31631🐞 Bug Fixes
<replaced-method />
unnecessarily requires explicitarg-type
since 6.0 #31828MergedAnnotations
finds duplicate annotations on method in multi-level interface hierarchy #31824MimeTypeUtils.sortBySpecificity()
#31773Query.scroll()
inSharedEntityManagerCreator
'squeryTerminatingMethods
set #31683equals
method (for ConversionService caching) #31673<jee:local-slsb>
no longer works with abusiness-interface
attribute #31630PathResourceResolver.getResource()
does not log warning ifResource#getURL()
throws exception #31624📔 Documentation
@ModelAttribute
is required for reflection hints inference #31767🔨 Dependency Upgrades
v6.0.14
Compare Source
⭐ New Features
Log4jLog
needs to re-resolveExtendedLogger
on deserialization (for compatibility with Log4J 2.21) #31582StandardTypeLocator
for hotspot when the same classes are resolved #31579properties
setter toProblemDetail
#31430🐞 Bug Fixes
@Nullable
#31610PathMatchingResourcePatternResolver
on MS Windows #31598NamedParameterUtils
broken parsing related to square brackets #31596SqlOutParameter
#31550MultiValueMap
when no matrix variables are provided #31483ProxyFactoryBean
declaration may lead to unexpected non-fatal "FactoryBean threw exception from getObjectType" stacktrace output #31473@Value
in compact constructor of a record should not register method injection #31433BeanCopier
falls back toClassLoader.defineClass
for public target #28699📔 Documentation
pertypewithin
is supported by Spring AOP #25887PropertyPlaceholderConfigurer
s [SPR-9989] #14623🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@CrotchBurnt, @GVictorG7, @PiotrFLEURY, @baratrax, @bernie-schelberg-invicara, @huyachigege, @izeye, @lorenzsimon, @martin-lukas, and @rwinch
v6.0.13
Compare Source
⭐ New Features
UnknownContentTypeException
is notSerializable
#31283FastClass
in CGLIB class names for@Configuration
classes #31272🐞 Bug Fixes
HibernateJpaDialect
andHibernateExceptionTranslator
throwSQLExceptionTranslator
-provided exception instead of returning it #31409NamedParameterJdbcTemplate
throws unexpected exception fornull
query #31391@RequestBody
#31327CompoundExpression.toStringAST()
omits?
for null-safe navigation #31326ConcurrentLruCache
no longer supports capacity = 0 #31317@Bean
method #31242ContextOverridingClassLoader.isEligibleForOverriding
#31232void
method invocation #27421LazyResolutionMessage
does not implement propertoString
#21265📔 Documentation
conversionService
field in doc example #31330BeanPropertyRowMapper.getColumnValue(ResultSet, int, Class)
is inconsistent with code #29285@Bean
method in a@Configuration
class'@PostConstruct
method leads to circular reference #27876@Transactional
on interfaces #23538🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@jihuayu and @wfouche
v6.0.12
Compare Source
⭐ New Features
@Scheduled
(fixedDelay = Long.MAX_VALUE, timeUnit = TimeUnit.MINUTES) #31210PathMatchingResourcePatternResolver
#31111@Nullable
toargValue
indoSetValue()
inArgument[Type]PreparedStatementSetter
#31086StringUtils
#31067ReactiveAdapterRegistry
#31047DefaultListableBeanFactory#getBeanNamesForType
does not take target type into account forFactoryBean
resolution #30987spring-core
access toorg.jboss.vfs
forVfsUtils
support on WildFly #30973readNBytes
inStringHttpMessageConverter
whencontentLength
is available #30942DefaultGenerationContext(DefaultGenerationContext, String)
constructorprotected
#30895@Nullable
annotations inAbstractResourceResolver
subclasses in Spring MVC #30893@Autowired
methods on same bean class #30359ClassUtils#getMostSpecificMethod
#30272@PropertySource(ignoreResourceNotFound)
support #22276PayloadMethodArgumentResolver
#21852🐞 Bug Fixes
WebClientResponseException.getResponseBodyAs
throws exception instead of returningnull
for empty body #31179LogFactory
implementation deviates from original ApacheLogFactory
in terms of abstract method declarations #31166nullSafeConciseToString()
invokingisEmpty()
on aMap
/Collection
proxy #31138@DynamicPropertySource
in@Nested
test class cannot override dynamic properties from enclosing class #31083TransactionalApplicationListenerMethodAdapter
should find@TransactionalEventListener
on target class method #31034MethodIntrospector.selectMethods(?)
fails to find methods in case of special bridge method arrangement #30906@ModelAttribute
annotated methods not working with kotlin suspend methods #30894ClassInfo
caching injava.beans.Introspector
on JDK 11/17 #27781PropertySourcesPlaceholderConfigurer
subclass to customizePropertyResolver
#26761📔 Documentation
NoSuchElementException
#31189@Transactional
on package-private/protected methods for class-based proxies #31057Any
to be a nullable type in AOP refdoc examples #31015PathPatternParser.defaultInstance
is outdated #30976ConnectionAccessor
andDatabasePopulator
exception declarations #30932name
attribute in@PropertySource
#30195ApplicationEventMulticaster
used by theApplicationContext
#29996FilePatternResourceHintsRegistrar
API and improve documentation #29161T()
operator not able to locate user types with defaultStandardTypeLocator
configuration #26253@PostConstruct
throughSmartInitializingSingleton
orContextRefreshedEvent
#25074@Scheduled
annotations #23959@ManagedResource
[SPR-17139] #21676@PersistenceContext
injection points in general) [SPR-10443] #15076🔨 Dependency Upgrades
❤️ Contributors
Thank you to all the contributors who worked on this release:
@1zg12, @aahlenst, @christophejan, @gnagy, @izeye, @jongwooo, @kilink, @marschall, @michaldo, @perlun, @pstrsr, @quaff, @remeio, @rwinch, @shin-mallang, and @zakaria-shahen
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.