[HDDS-10815] Bump Spring Framework to 5.3.34 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 2.0.0, 1.4.1
Component/s: build
Labels:
- pull-request-available

Target Version/s:

2.0.0, 1.4.1

Description

Upgrade Spring Framework to 5.3.34 due to CVE-2024-22243, CVE-2024-22259 and CVE-2024-22262

CVE-2024-22243:- Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.
https://spring.io/security/cve-2024-22243
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586

CVE-2024-22262:- Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder is used to parse an externally provided URL and perform validation checks on the host of the parsed URL.
https://spring.io/security/cve-2024-22262
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980

CVE-2024-22259:- Affected versions of this package are vulnerable to Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL.
https://spring.io/security/cve-2024-22259
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790

Attachments

Issue Links

links to

GitHub Pull Request #6643

Activity

People

Assignee:: Rohit Kumar

Reporter:: Rohit Kumar

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 06/May/24 08:44

Updated:: 24/Jul/24 06:40

Resolved:: 06/May/24 12:06