fix(deps): update dependency org.springframework:spring-core to v6.1.14 [security]
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
org.springframework:spring-core | dependencies | patch |
6.1.12 -> 6.1.14
|
Spring Framework has Authorization Bypass for Case Sensitive Comparisons
CVE-2024-38827 / GHSA-q3v6-hm2v-pw99
More information
Details
The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.
Severity
- CVSS Score: 4.8 / 10 (Medium)
- Vector String:
CVSS:3.1/AV:N/AC:H/MR:N/UI:N/S:U/C:L/I:L/A:N
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-38827
- https://github.com/spring-projects/spring-framework/issues/33708
- https://github.com/spring-projects/spring-framework/commit/11d4272ff48b4a4dabc4b28dfbff0364a4204bc9
- https://github.com/spring-projects/spring-framework
- https://spring.io/security/cve-2024-38827
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
spring-projects/spring-framework (org.springframework:spring-core)
v6.1.14
⭐ New Features
- Use Locale.ROOT for locale neutral, case insensitive comparisons #33708
- Improve checks for relative paths in static resource handling #33689
- CorsUtils.isCorsRequest throws unhandled IllegalArgumentException and returns 500 Internal Server Error on malfomed Origin header #33682
- Skip processing of Java annotations in
QualifierAnnotationAutowireCandidateResolver
#33580 - Include argument name in
MethodArgumentTypeMismatchException
error message #33573 - Preserve coroutine context in WebClientExtensions #33548
- Blocking call detected in ConcurrentReferenceHashMap by BlockHound #33450
- Warning message about bean post-processing and eager injection may suggest the wrong cause #33184
:lady_beetle: Bug Fixes
- DelegatingFilterProxy Causes Pinned Virtual Threads #33656
- Potential NPE from
MethodParameter.getMethod()
check inKotlinDelegate.hasDefaultValue()
#33609 - Missing native image hints for JDK proxies created by JMS connection factories #33590
-
AotTestExecutionListener
should not be invoked for a@DisabledInAotMode
test class #33589 - Use encoded resource path instead of input path validation in spring-webflux #33568
-
org.springframework.util.ResourceUtils#toRelativeURL
drops customURLStreamHandler
#33561 - Current observation not in scope during WebClient ExchangeFilterFunction execution #33559
-
ZoneIdEditor
throws wrong exception type forTypeConverterSupport
#33545 - MimeMessageHelper addInline with ByteArrayResource fail with null filename #33527
-
@Cacheable
throwsNullPointerException
whenRuntimeException
is thrown inside annotated code #33492 - Path variable values missing in RedirectView when PathPattern are used #33422
- Reactive
HttpComponentsClientHttpResponse
ignoresExpires
cookie attribute #33157
📔 Documentation
- Update fallback.adoc #33721
- Update scheduling.adoc #33703
- Fix link in testing/support-jdbc.adoc #33686
- Adapt Javadoc note about log level of BeanPostProcessorChecker #33617
- Reference the spring-framework-petclinic repository wich uses AspectJ #33539
🔨 Dependency Upgrades
- Upgrade to Apache HttpClient 5.4 #33587
- Upgrade to Apache HttpCore Reactive 5.3 #33588
- Upgrade to Awaitility 4.2.2 #33604
- Upgrade to Micrometer 1.12.11 #33647
- Upgrade to Reactor 2023.0.11 #33637
❤ Contributors
Thank you to all the contributors who worked on this release:
@arey, @asibross, @boulce, @drdpov, @hosamaly, @ilya40umov, @izeye, and @junhyeongkim2
v6.1.13
⭐ New Features
- Errors thrown from SmartLifeycle#stop results in (unnecessary) waiting for the shutdown timeout #33442
- Updates to resource handling for functional endpoints #33434
- Stop logging
result
inWebAsyncManager
#33406 - spring native not support method handler with kotlin default value #33384
:lady_beetle: Bug Fixes
- Ensure use of specified status code on redirect with
Rendering
#33498 - Inconsistent handling of X-Forwarded-Prefix in servlet and reactive stack #33465
- ServerHttpObservationFilter does not register against new async operations #33451
- Revert removal of deprecated rawStatusCode methods #33440
- PathMatchingResourcePatternResolver no longer follows symlinks #33424
- Deadlock between SseEmitter and StandardServletAsyncWebRequest when clients disconnect #33421
- RestClient doesn't open a scope for the processing of the request #33397
- WebTestClient leaks when ParameterizedTypeReference is used #33389
📔 Documentation
- Document fixed rate scheduling with CRaC #33490
- Update information in SpEL Evaluation chapter in reference manual #33456
- Stop documenting use of
-debug
compiler flag in reference manual #33453 - Use discrete headings instead of titled blocks in reference manual #33447
- Fix example for
@ImportResource
in the reference manual #33446 - Fix a typo in the CDS documentation #33437
- Fix link to chapter introduction #33417
- Improve documentation on reading form data via Servlet request parameters vs
@RequestBody
#33409
🔨 Dependency Upgrades
- Upgrade to Kotlin 1.9.25 #33471
- Upgrade to Micrometer 1.12.10 #33518
- Upgrade to Objenesis 3.4 #33526
- Upgrade to Reactor 2023.0.10 #33519
❤ Contributors
Thank you to all the contributors who worked on this release:
@dancer1325, @izeye, and @yfoel
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.