Skip to content

fix(deps): update dependency org.springframework:spring-core to v6.1.14 [security]

This MR contains the following updates:

Package Type Update Change
org.springframework:spring-core dependencies patch 6.1.12 -> 6.1.14

Spring Framework has Authorization Bypass for Case Sensitive Comparisons

CVE-2024-38827 / GHSA-q3v6-hm2v-pw99

More information

Details

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/MR:N/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

spring-projects/spring-framework (org.springframework:spring-core)

v6.1.14

New Features
  • Use Locale.ROOT for locale neutral, case insensitive comparisons #​33708
  • Improve checks for relative paths in static resource handling #​33689
  • CorsUtils.isCorsRequest throws unhandled IllegalArgumentException and returns 500 Internal Server Error on malfomed Origin header #​33682
  • Skip processing of Java annotations in QualifierAnnotationAutowireCandidateResolver #​33580
  • Include argument name in MethodArgumentTypeMismatchException error message #​33573
  • Preserve coroutine context in WebClientExtensions #​33548
  • Blocking call detected in ConcurrentReferenceHashMap by BlockHound #​33450
  • Warning message about bean post-processing and eager injection may suggest the wrong cause #​33184
:lady_beetle: Bug Fixes
  • DelegatingFilterProxy Causes Pinned Virtual Threads #​33656
  • Potential NPE from MethodParameter.getMethod() check in KotlinDelegate.hasDefaultValue() #​33609
  • Missing native image hints for JDK proxies created by JMS connection factories #​33590
  • AotTestExecutionListener should not be invoked for a @DisabledInAotMode test class #​33589
  • Use encoded resource path instead of input path validation in spring-webflux #​33568
  • org.springframework.util.ResourceUtils#toRelativeURL drops custom URLStreamHandler #​33561
  • Current observation not in scope during WebClient ExchangeFilterFunction execution #​33559
  • ZoneIdEditor throws wrong exception type for TypeConverterSupport #​33545
  • MimeMessageHelper addInline with ByteArrayResource fail with null filename #​33527
  • @Cacheable throws NullPointerException when RuntimeException is thrown inside annotated code #​33492
  • Path variable values missing in RedirectView when PathPattern are used #​33422
  • Reactive HttpComponentsClientHttpResponse ignores Expires cookie attribute #​33157
📔 Documentation
  • Update fallback.adoc #​33721
  • Update scheduling.adoc #​33703
  • Fix link in testing/support-jdbc.adoc #​33686
  • Adapt Javadoc note about log level of BeanPostProcessorChecker #​33617
  • Reference the spring-framework-petclinic repository wich uses AspectJ #​33539
🔨 Dependency Upgrades
Contributors

Thank you to all the contributors who worked on this release:

@​arey, @​asibross, @​boulce, @​drdpov, @​hosamaly, @​ilya40umov, @​izeye, and @​junhyeongkim2

v6.1.13

New Features
  • Errors thrown from SmartLifeycle#stop results in (unnecessary) waiting for the shutdown timeout #​33442
  • Updates to resource handling for functional endpoints #​33434
  • Stop logging result in WebAsyncManager #​33406
  • spring native not support method handler with kotlin default value #​33384
:lady_beetle: Bug Fixes
  • Ensure use of specified status code on redirect with Rendering #​33498
  • Inconsistent handling of X-Forwarded-Prefix in servlet and reactive stack #​33465
  • ServerHttpObservationFilter does not register against new async operations #​33451
  • Revert removal of deprecated rawStatusCode methods #​33440
  • PathMatchingResourcePatternResolver no longer follows symlinks #​33424
  • Deadlock between SseEmitter and StandardServletAsyncWebRequest when clients disconnect #​33421
  • RestClient doesn't open a scope for the processing of the request #​33397
  • WebTestClient leaks when ParameterizedTypeReference is used #​33389
📔 Documentation
  • Document fixed rate scheduling with CRaC #​33490
  • Update information in SpEL Evaluation chapter in reference manual #​33456
  • Stop documenting use of -debug compiler flag in reference manual #​33453
  • Use discrete headings instead of titled blocks in reference manual #​33447
  • Fix example for @ImportResource in the reference manual #​33446
  • Fix a typo in the CDS documentation #​33437
  • Fix link to chapter introduction #​33417
  • Improve documentation on reading form data via Servlet request parameters vs @RequestBody #​33409
🔨 Dependency Upgrades
Contributors

Thank you to all the contributors who worked on this release:

@​dancer1325, @​izeye, and @​yfoel


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.


  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports