Upgrade to Spring 6 #5076

barthanssens · 2024-07-10T15:10:35Z

Current Behavior

While version 5.0.1 fixed a lot of CVEs, there is now one major CVE left on Spring framework 5.3 which is probably non-trivial to fix.

CVE-2016-1000027

It appears that there will not be a 5.3.x release addressing the issue.

Upgrading to Springboot 3 (see also #5063) will fix partially fix this because Springboot 3 uses Spring 6, but we may also need to upgrade the (non-springboot) spring dependencies of the workbench.

Expected Behavior

Upgrading to a newer release of zookeeper fix the reported CVE for zookeeper dependency

Steps To Reproduce

No response

Version

5.0.1

Are you interested in contributing a solution yourself?

Perhaps?

Anything else?

See also spring-projects/spring-framework#24434

Upgrading may not be strictly necessary, since one of the comments state

Having said that it can be used as a reminder to check that there are no HTTP Invoker endpoints exposed to untrusted clients. If there are none, then nothing further to do.

(but automated scanners will still report this as a serious issue)

barthanssens added 🐞 bug issue is a bug security dependencies Pull requests that update a dependency file labels Jul 10, 2024

barthanssens self-assigned this Jul 10, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade to Spring 6 #5076

Upgrade to Spring 6 #5076

barthanssens commented Jul 10, 2024

Upgrade to Spring 6 #5076

Upgrade to Spring 6 #5076

Comments

barthanssens commented Jul 10, 2024

Current Behavior

Expected Behavior

Steps To Reproduce

Version

Are you interested in contributing a solution yourself?

Anything else?