Update dependency org.springframework.boot:spring-boot-starter-web to v2.5.12 [SECURITY] #62
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.3.0.RELEASE
->2.5.12
GitHub Vulnerability Alerts
CVE-2022-22965
Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as
Spring4Shell
.Impact
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
These are the prerequisites for the exploit:
spring-webmvc
orspring-webflux
dependencyPatches
Workarounds
For those who are unable to upgrade, leaked reports recommend setting
disallowedFields
onWebDataBinder
through an@ControllerAdvice
. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller setsdisallowedFields
locally through its own@InitBinder
method, which overrides the global setting.To apply the workaround in a more fail-safe way, applications could extend
RequestMappingHandlerAdapter
to update theWebDataBinder
at the end after all other initialization. In order to do that, a Spring Boot application can declare aWebMvcRegistrations
bean (Spring MVC) or aWebFluxRegistrations
bean (Spring WebFlux).Release Notes
spring-projects/spring-boot (org.springframework.boot:spring-boot-starter-web)
v2.5.12
Compare Source
🐞 Bug Fixes
📔 Documentation
@DefaultValue
can be used on a record component #30460🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v2.5.11
Compare Source
⭐ New Features
🐞 Bug Fixes
@ReadOperation
on Flux cancels request after first element emitted #30095@ConditionalOnSingleCandidate
that does not match due to multiple primary beans isn't as clear as it could be #30073@DefaultValue
with a long value and generates invalid metadata for byte and short properties with out-of-range default values #30020📔 Documentation
@MockBean
and@SpyBean
#28656@Bean
methods are included in slice tests #16088🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v2.5.10
Compare Source
🐞 Bug Fixes
@ManagedResource
object names #29953@SpyBean
causes BeanCurrentlyInCreationException when there are circular references #29639📔 Documentation
@ConditionalOnExpression
#29276@DefaultValue
annotations are not resolved #23164🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v2.5.9
Compare Source
🐞 Bug Fixes
@SpringBootTest
does not use spring.main.web-application-type properties declared in test resource files #29169📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v2.5.8
Compare Source
🐞 Bug Fixes
📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v2.5.7
Compare Source
🐞 Bug Fixes
@ActiveProfiles
have different precedence #28530📔 Documentation
@deprecated
and@see
in org.springframework.boot.loader.archive.Archive's javadoc #28680🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v2.5.6
Compare Source
🐞 Bug Fixes
📔 Documentation
@AutoConfigureTestEntityManager
outside of@DataJpaTest
, any tests using the test entity manager must be@Transactional
#28159🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v2.5.5
Compare Source
🐞 Bug Fixes
@MockBean
combined with@Repeat
results in "the field cannot have an existing value" error #27798📔 Documentation
🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v2.5.4
Compare Source
🐞 Bug Fixes
TomcatMetricsBinder.findContext()
#27616📔 Documentation
🔨 Dependency Upgrades
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.