fix(deps): update dependency org.springframework:spring-context to v6.1.14 [security]

This MR contains the following updates:

Package	Type	Update	Change
org.springframework:spring-context	dependencies	patch	6.1.12 -> 6.1.14

---

Spring Framework DataBinder Case Sensitive Match Exception

CVE-2024-38820 / GHSA-4gc7-5j7h-4qph

More information

Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/MR:N/UI:N/S:U/C:N/I:L/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-38820
• https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c
• https://github.com/spring-projects/spring-framework
• https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2
• https://spring.io/security/cve-2024-38820

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-context)

v6.1.14

⭐ New Features

• Use Locale.ROOT for locale neutral, case insensitive comparisons #​33708
• Improve checks for relative paths in static resource handling #​33689
• CorsUtils.isCorsRequest throws unhandled IllegalArgumentException and returns 500 Internal Server Error on malfomed Origin header #​33682
• Skip processing of Java annotations in QualifierAnnotationAutowireCandidateResolver #​33580
• Include argument name in MethodArgumentTypeMismatchException error message #​33573
• Preserve coroutine context in WebClientExtensions #​33548
• Blocking call detected in ConcurrentReferenceHashMap by BlockHound #​33450
• Warning message about bean post-processing and eager injection may suggest the wrong cause #​33184

:lady_beetle: Bug Fixes

• DelegatingFilterProxy Causes Pinned Virtual Threads #​33656
• Potential NPE from MethodParameter.getMethod() check in KotlinDelegate.hasDefaultValue() #​33609
• Missing native image hints for JDK proxies created by JMS connection factories #​33590
• AotTestExecutionListener should not be invoked for a @DisabledInAotMode test class #​33589
• Use encoded resource path instead of input path validation in spring-webflux #​33568
• org.springframework.util.ResourceUtils#toRelativeURL drops custom URLStreamHandler #​33561
• Current observation not in scope during WebClient ExchangeFilterFunction execution #​33559
• ZoneIdEditor throws wrong exception type for TypeConverterSupport #​33545
• MimeMessageHelper addInline with ByteArrayResource fail with null filename #​33527
• @Cacheable throws NullPointerException when RuntimeException is thrown inside annotated code #​33492
• Path variable values missing in RedirectView when PathPattern are used #​33422
• Reactive HttpComponentsClientHttpResponse ignores Expires cookie attribute #​33157

📔 Documentation

• Update fallback.adoc #​33721
• Update scheduling.adoc #​33703
• Fix link in testing/support-jdbc.adoc #​33686
• Adapt Javadoc note about log level of BeanPostProcessorChecker #​33617
• Reference the spring-framework-petclinic repository wich uses AspectJ #​33539

🔨 Dependency Upgrades

• Upgrade to Apache HttpClient 5.4 #​33587
• Upgrade to Apache HttpCore Reactive 5.3 #​33588
• Upgrade to Awaitility 4.2.2 #​33604
• Upgrade to Micrometer 1.12.11 #​33647
• Upgrade to Reactor 2023.0.11 #​33637

❤ Contributors

Thank you to all the contributors who worked on this release:

@​arey, @​asibross, @​boulce, @​drdpov, @​hosamaly, @​ilya40umov, @​izeye, and @​junhyeongkim2

v6.1.13

⭐ New Features

• Errors thrown from SmartLifeycle#stop results in (unnecessary) waiting for the shutdown timeout #​33442
• Updates to resource handling for functional endpoints #​33434
• Stop logging result in WebAsyncManager #​33406
• spring native not support method handler with kotlin default value #​33384

:lady_beetle: Bug Fixes

• Ensure use of specified status code on redirect with Rendering #​33498
• Inconsistent handling of X-Forwarded-Prefix in servlet and reactive stack #​33465
• ServerHttpObservationFilter does not register against new async operations #​33451
• Revert removal of deprecated rawStatusCode methods #​33440
• PathMatchingResourcePatternResolver no longer follows symlinks #​33424
• Deadlock between SseEmitter and StandardServletAsyncWebRequest when clients disconnect #​33421
• RestClient doesn't open a scope for the processing of the request #​33397
• WebTestClient leaks when ParameterizedTypeReference is used #​33389

📔 Documentation

• Document fixed rate scheduling with CRaC #​33490
• Update information in SpEL Evaluation chapter in reference manual #​33456
• Stop documenting use of -debug compiler flag in reference manual #​33453
• Use discrete headings instead of titled blocks in reference manual #​33447
• Fix example for @ImportResource in the reference manual #​33446
• Fix a typo in the CDS documentation #​33437
• Fix link to chapter introduction #​33417
• Improve documentation on reading form data via Servlet request parameters vs @RequestBody #​33409

🔨 Dependency Upgrades

• Upgrade to Kotlin 1.9.25 #​33471
• Upgrade to Micrometer 1.12.10 #​33518
• Upgrade to Objenesis 3.4 #​33526
• Upgrade to Reactor 2023.0.10 #​33519

❤ Contributors

Thank you to all the contributors who worked on this release:

@​dancer1325, @​izeye, and @​yfoel

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Renovate Bot.