Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security(deps): update 🛡️ org.springframework:spring-web to v6.0.19 [security] - autoclosed #48

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 25, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.springframework:spring-web 6.0.11 -> 6.0.19 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-22243

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

CVE-2024-22259

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.


Spring Web vulnerable to Open Redirect or Server Side Request Forgery

CVE-2024-22243 / GHSA-ccgv-vj62-xf9h

More information

Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Spring Framework URL Parsing with Host Validation Vulnerability

CVE-2024-22259 / GHSA-hgjh-9rj2-g67j

More information

Details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Spring Framework URL Parsing with Host Validation

CVE-2024-22262 / GHSA-2wrp-6fg6-hmc5

More information

Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

spring-projects/spring-framework (org.springframework:spring-web)

v6.0.19

Compare Source

v6.0.18

Compare Source

v6.0.17

Compare Source

⭐ New Features
  • RouterFunctionMapping does not implement MatchableHandlerMapping #​32222
  • Optimize Map methods in ServletAttributesMap #​32197
🐞 Bug Fixes
  • @JsonDeserialize(builder = ...) does not work in GraalVM native image #​32257
  • Consistent parsing of user information in UriComponentsBuilder #​32246
  • "IllegalStateException: Cannot call sendError() after the response has been committed" when IOException is thrown during resolving method argument values on Tomcat >= 10.1.16 #​32207
  • Cannot process AOT when spring-orm is on the classpath without JPA #​32160
  • QualifierAnnotationAutowireCandidateResolver.checkQualifier does identity checks when comparing arrays used as qualifier fields #​32107
  • Guard against multiple body subscriptions in Jetty and JDK reactive responses #​32102
  • Exceptions thrown by custom error handlers are not recorded in RestTemplate observations #​32063
  • Static resources caching issues with ShallowEtagHeaderFilter and Jetty caching directives #​32050
  • ChannelSendOperator.WriteBarrier race condition in request(long) method leads to response being dropped #​32020
  • Destroy method not found in Native image for ExecutorService Bean type #​32017
📔 Documentation
  • Update basics.adoc #​32151
  • Document cron-vs-quartz parsing convention for dayOfWeek part in CronExpression #​32130
🔨 Dependency Upgrades

v6.0.16

Compare Source

⭐ New Features

  • Exclude URI query from remaining WebClient checkpoints #​32001
  • Add CORS support for Private Network Access #​31975
  • Avoid early getMostSpecificMethod resolution in CommonAnnotationBeanPostProcessor #​31968

🐞 Bug Fixes

  • Double error response handling on suspended methods #​31990
  • DefaultDataBuffer fails to transform its content to a string. #​31979
  • Spring AOP does not propagate arguments for dynamic prototype-scoped advice #​31963
  • MergedAnnotation swallows IllegalAccessException for attribute method #​31960
  • CronTrigger hard-codes default ZoneId instead of participating in scheduler-wide Clock setup #​31949
  • HandlerMappingIntrospector is throwing PatternSyntaxException for wildcards in the request URL #​31946
  • ForwardedHeaderFilter should reject invalid requests #​31894
  • @Async does not support Unit? return type #​31891
  • Significant increase in memory consumption StringDecoder when splitting input by delimiters. #​31859

📔 Documentation

  • Update ContentRequestMatchers#multipartData Javadoc #​31989

🔨 Dependency Upgrades

v6.0.15

Compare Source

⭐ New Features

  • Skip buffer allocation in StreamUtils.copy(String) #​31631

🐞 Bug Fixes

  • <replaced-method /> unnecessarily requires explicit arg-type since 6.0 #​31828
  • MergedAnnotations finds duplicate annotations on method in multi-level interface hierarchy #​31824
  • Fix condition for "Too many elements" in MimeTypeUtils.sortBySpecificity() #​31773
  • Spring unable to decode aggregated JSON content #​31772
  • Multipart messages with empty parts are not correctly parsed in WebFlux #​31766
  • PathEditor cannot handle absolute Windows paths with forward slashes #​31727
  • TraceId is missing in WebFlux controller handlers #​31716
  • Wrong observation status tag when a Not Found in a webflux application #​31715
  • Fail to register MBean with bean name containing invalid character #​31708
  • Include Hibernate's Query.scroll() in SharedEntityManagerCreator's queryTerminatingMethods set #​31683
  • TypeDescriptor does not check generics in equals method (for ConversionService caching) #​31673
  • SpEL expression on a reloadable type can no longer be resolved #​31670
  • Slow SpEL performance due to method sorting in ReflectiveMethodResolver #​31664
  • Jackson encoder releases resources in wrong order #​31656
  • Current Observation.Context missing from WebClient request #​31646
  • WebSocketMessageBrokerStats has null stats for stompSubProtocolHandler since 5.3.2 #​31641
  • <jee:local-slsb> no longer works with a business-interface attribute #​31630
  • GeneratedFiles#addSourceFile should not allow to add a source in the default package #​31629
  • PathResourceResolver.getResource() does not log warning if Resource#getURL() throws exception #​31624

📔 Documentation

  • Document explicit @ModelAttribute is required for reflection hints inference #​31767
  • Documentation needs to be updated with instructions for STOMP Client #​31678
  • Improve STOMP WebSocket documentation for input message buffer size #​31654

🔨 Dependency Upgrades

v6.0.14

Compare Source

⭐ New Features

  • Provide caching for HandlerMappingIntrospector lookups #​31588
  • Log4jLog needs to re-resolve ExtendedLogger on deserialization (for compatibility with Log4J 2.21) #​31582
  • Optimize StandardTypeLocator for hotspot when the same classes are resolved #​31579
  • Add duplicate key exception error code for SAP HANA database #​31554
  • Do not delegate TRACE to HttpServlet on ERROR dispatch #​31457
  • Add properties setter to ProblemDetail #​31430

🐞 Bug Fixes

  • GeneratedFiles#addSource does not provide proper context if the specified class name is invalid #​31612
  • MessageBuilder#createMessage should not define the payload as @Nullable #​31610
  • Default Mixin added by Jackson2ObjectMapperBuilder are missing required runtime hints #​31606
  • NettyDataBuffer#toByteBuffer fails if readPosition > 0 #​31605
  • Avoid duplicate JAR resources in PathMatchingResourcePatternResolver on MS Windows #​31598
  • NamedParameterUtils broken parsing related to square brackets #​31596
  • Multipart cleanup is done too eagerly #​31567
  • Jakarta validation field constraints in superclass are ignored in native image #​31552
  • Function column out doesn't resolve to SqlOutParameter #​31550
  • Restore support for recursive annotations in Kotlin #​31518
  • Resolve to empty MultiValueMap when no matrix variables are provided #​31483
  • ProxyFactoryBean declaration may lead to unexpected non-fatal "FactoryBean threw exception from getObjectType" stacktrace output #​31473
  • Use of @Value in compact constructor of a record should not register method injection #​31433
  • Prevent duplicate HTTP server observations for cancelled exchanges #​31417
  • Spring MVC raises MissingPathVariableException resulting in 500 instead of 400 error when path segment is u001F or u00D and cannot be converted to target type UUID #​31382
  • Ensure consistent value count in ConcurrentReferenceHashMap#Segment #​31373
  • HeaderContentNegotiationStrategy.resolveMediaTypes throws unexpected IllegalArgumentException #​31254
  • Session Cookie in Reactive WebSession is not deleted if maxAge is set through cookie initializer (e.g. via Boot application property) #​31214
  • DefaultWebClient logs URI without the port number #​30519
  • CGLIB BeanCopier falls back to ClassLoader.defineClass for public target #​28699
  • BeanUtils.copyProperties() consumes large amount of memory #​27246

📔 Documentation

  • RestTemplate initialization documentation in 6.0.x mentions Netty, yet no ClientHttpRequestFactory is present in the package. #​31526
  • Correct typo in annotations.adoc #​31519
  • Document X-Forwarded-* Headers #​31491
  • Improve support and documentation for the "default" bean definition profile name #​29071
  • Document that pertypewithin is supported by Spring AOP #​25887
  • Document alternatives of using multiple PropertyPlaceholderConfigurers [SPR-9989] #​14623

🔨 Dependency Upgrades

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​CrotchBurnt, @​GVictorG7, @​PiotrFLEURY, @​baratrax, @​bernie-schelberg-invicara, @​huyachigege, @​izeye, @​lorenzsimon, @​martin-lukas, and @​rwinch

v6.0.13

Compare Source

⭐ New Features
  • Improve diagnostics for negative repeated text count in SpEL #​31342
  • Improve diagnostics when repeated text size calculation results in overflow in SpEL #​31341
  • UnknownContentTypeException is not Serializable #​31283
  • Reintroduce FastClass in CGLIB class names for @Configuration classes #​31272
🐞 Bug Fixes
  • HibernateJpaDialect and HibernateExceptionTranslator throw SQLExceptionTranslator-provided exception instead of returning it #​31409
  • AnnotationScanner scanning leads to StackOverflowError with recursive annotation #​31400
  • NamedParameterJdbcTemplate throws unexpected exception for null query #​31391
  • HTTP server exchange observations have incorrect UNKNOWN status tag if the client disconnected #​31388
  • Breaking change from 6.0.11 to 6.0.12 if you expect query parameters in @RequestBody #​31327
  • SpEL's CompoundExpression.toStringAST() omits ? for null-safe navigation #​31326
  • ConcurrentLruCache no longer supports capacity = 0 #​31317
  • Using R2dbc transactional and non transactional on a database connection pool will fail for Oracle. #​31268
  • AOT-generated code no longer set bean class for beans created from a @Bean method #​31242
  • CGLIB proxy classes are no longer cached properly #​31238
  • Illegal reflective access in ContextOverridingClassLoader.isEligibleForOverriding #​31232
  • Fix RuntimeHintsPredicates matching rules for public/declared elements #​31224
  • MultipartParser should respect read position #​31110
  • WebClient reports 'Host is not specified' for URI with hostname and port, but without scheme #​31033
  • R2DBC Connection is closed during transaction when using TransactionAwareConnectionFactoryProxy #​28133
  • SpEL cannot evaluate or compile expression with null-safe void method invocation #​27421
  • LazyResolutionMessage does not implement proper toString #​21265
📔 Documentation
  • Document Kotlin declaration site variance subtleties #​31370
  • Add missing conversionService field in doc example #​31330
  • Clarify documentation on Spring Web MVC pattern comparison #​31294
  • Improved documentation for MethodParameter#getAnnotatedElement #​30397
  • Javadoc for BeanPropertyRowMapper.getColumnValue(ResultSet, int, Class) is inconsistent with code #​29285
  • Referencing a @Bean method in a @Configuration class' @PostConstruct method leads to circular reference #​27876
  • Incorrect reference information about CGLIB supported method visibility #​25001
  • Clarify documentation for @Transactional on interfaces #​23538
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​jihuayu and @​wfouche

v6.0.12

Compare Source

⭐ New Features
  • ArithmeticException: long overflow on @Scheduled(fixedDelay = Long.MAX_VALUE, timeUnit = TimeUnit.MINUTES) #​31210
  • Polish resolveArgument method in RequestResponseBodyMethodProcessor #​31175
  • Update logging level in BeanValidationBeanRegistrationAotProcessor for validation exceptions #​31147
  • Skip searching of nonexistent directory in PathMatchingResourcePatternResolver #​31111
  • Add @Nullable to argValue in doSetValue() in Argument[Type]PreparedStatementSetter #​31086
  • Optimize whitespace checks in StringUtils #​31067
  • Missing proxy hint when using a simple JPARepository #​31050
  • Register an override for an existing adapter in ReactiveAdapterRegistry #​31047
  • DefaultListableBeanFactory#getBeanNamesForType does not take target type into account for FactoryBean resolution #​30987
  • Give spring-core access to org.jboss.vfs for VfsUtils support on WildFly #​30973
  • Use readNBytes in StringHttpMessageConverter when contentLength is available #​30942
  • Skip array sort when the length of array not greater than 1 #​30934
  • Avoid flushing for each SseEventBuilder entry #​30912
  • Make DefaultGenerationContext(DefaultGenerationContext, String) constructor protected #​30895
  • Add missing @Nullable annotations in AbstractResourceResolver subclasses in Spring MVC #​30893
  • Performance bottlenecks while creating scoped bean instances #​30883
  • Make bean initialization deterministic for multiple @Autowired methods on same bean class #​30359
  • Optimize ClassUtils#getMostSpecificMethod #​30272
  • Missing native hints for Hibernate Native Query proxy #​29603
  • Check exception cause for @PropertySource(ignoreResourceNotFound) support #​22276
  • Align validation metadata handling in PayloadMethodArgumentResolver #​21852
🐞 Bug Fixes
  • Spring Boot fails with "does not reside in the file system: manifoldclass://622488023/.../" #​31216
  • WebClientResponseException.getResponseBodyAs throws exception instead of returning null for empty body #​31179
  • Possible classloader leak through incomplete clearing of annotation caches #​31170
  • Spring LogFactory implementation deviates from original Apache LogFactory in terms of abstract method declarations #​31166
  • graalvm native image feature PreComputeFieldFeature disable all netty native transports #​31141
  • Bean injection fails due to nullSafeConciseToString() invoking isEmpty() on a Map/Collection proxy #​31138
  • R2DBC: Skip release connection after nested with existing transaction #​31133
  • SpelExpressionParser throws IllegalStateException instead of ParseException for invalid expression #​31097
  • @DynamicPropertySource in @Nested test class cannot override dynamic properties from enclosing class #​31083
  • Spring Boot WebFlux validation of invalid inputs #​31045
  • TransactionalApplicationListenerMethodAdapter should find @TransactionalEventListener on target class method #​31034
  • ScheduledAnnotationBeanPostProcessor: graceful shutdown should not interrupt currently running jobs #​31019
  • TypeBootstrapContext constructor not called in custom types with Hibernate 6 #​30924
  • MethodIntrospector.selectMethods(?) fails to find methods in case of special bridge method arrangement #​30906
  • Spring webflux @ModelAttribute annotated methods not working with kotlin suspend methods #​30894
  • Support Kotlin Serialization custom serializers #​30870
  • Test AOT processing fails if a feature name prefix is reused #​30861
  • NoUniqueBeanDefinitionException should make sure beansNameFound is serializable #​29753
  • Permgen memory leak due to ClassInfo caching in java.beans.Introspector on JDK 11/17 #​27781
  • Model.set() Kotlin extension method does not allow null value #​27115
  • Allow PropertySourcesPlaceholderConfigurer subclass to customize PropertyResolver #​26761
📔 Documentation
  • Fix documentation: Passing in Lists of Values for IN Clause does not work with JdbcTemplate #​31228
  • Fix typo in comment in XML configuration example #​31194
  • Document some non-nullable Kotlin extensions can throw NoSuchElementException #​31189
  • Improve documentation on applicability of mapped interceptors with the Spring MVC config #​31185
  • Add Javadoc since tags in FilePatternResourceHintsRegistrar #​31174
  • Refine CORS documentation for wildcard processing #​31143
  • Fix invalid type name in RSocket section of the reference documentation #​31091
  • @Transactional on package-private/protected methods for class-based proxies #​31057
  • Change Kotlin Any to be a nullable type in AOP refdoc examples #​31015
  • Versioned redirect seems to all redirect to "current" version #​31009
  • Javadoc for PathPatternParser.defaultInstance is outdated #​30976
  • Clarify R2DBC ConnectionAccessor and DatabasePopulator exception declarations #​30932
  • Document purpose of name attribute in @PropertySource #​30195
  • Document how to configure the ApplicationEventMulticaster used by the ApplicationContext #​29996
  • Document inference of destroy methods with Java config more prominently #​29546
  • Revise FilePatternResourceHintsRegistrar API and improve documentation #​29161
  • Document how to configure the cache infrastructure globally #​28250
  • SpEL T() operator not able to locate user types with default StandardTypeLocator configuration #​26253
  • Propagation REQUIRES_NEW may cause connection pool deadlock #​26250
  • Modify DefaultMessageListenerContainer javadoc #​25503
  • Doc: Avoid deadlock in @PostConstruct through SmartInitializingSingleton or ContextRefreshedEvent #​25074
  • Document expected behavior of a method annotated with multiple @Scheduled annotations #​23959
  • Improve documentation for FactoryBean's getObject automatic call through @ManagedResource [SPR-17139] #​21676
  • Injecting EntityManagers through constructor injection (and at non-@PersistenceContext injection points in general) [SPR-10443] #​15076
🔨 Dependency Upgrades
❤️ Contributors

Thank you to all the contributors who worked on this release:

@​1zg12, @​aahlenst, @​christophejan, @​gnagy, @​izeye, @​jongwooo, @​kilink, @​marschall, @​michaldo, @​perlun, @​pstrsr, @​quaff, @​remeio, @​rwinch, @​shin-mallang, and @​zakaria-shahen


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner February 25, 2024 05:19
@renovate renovate bot added the security label Feb 25, 2024
@renovate renovate bot requested a review from sheldonhull February 25, 2024 05:19
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-web-vulnerability branch from 0420bd5 to 8373e79 Compare March 20, 2024 02:38
@renovate renovate bot changed the title security(deps): update 🛡️ org.springframework:spring-web to v6.0.17 [security] security(deps): update 🛡️ org.springframework:spring-web to v6.0.18 [security] Mar 20, 2024
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-web-vulnerability branch from 8373e79 to 25684b4 Compare April 18, 2024 02:45
@renovate renovate bot changed the title security(deps): update 🛡️ org.springframework:spring-web to v6.0.18 [security] security(deps): update 🛡️ org.springframework:spring-web to v6.0.19 [security] Apr 18, 2024
@sheldonhull sheldonhull requested review from pacificcode and removed request for sheldonhull April 19, 2024 14:45
@renovate renovate bot force-pushed the renovate/maven-org.springframework-spring-web-vulnerability branch from 25684b4 to bdf5024 Compare April 19, 2024 14:48
@renovate renovate bot changed the title security(deps): update 🛡️ org.springframework:spring-web to v6.0.19 [security] security(deps): update 🛡️ org.springframework:spring-web to v6.0.19 [security] - autoclosed Jul 25, 2024
@renovate renovate bot closed this Jul 25, 2024
@renovate renovate bot deleted the renovate/maven-org.springframework-spring-web-vulnerability branch July 25, 2024 20:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant