Wenzhe Zhou created IMPALA-11639:
------------------------------------
Summary: Upgrade Spring Framework to 5.3.20 due to multiple CVEs
Key: IMPALA-11639
URL: https://issues.apache.org/jira/browse/IMPALA-11639
Project: IMPALA
Issue Type: Task
Components: Frontend
Affects Versions: Impala 4.1.0
Reporter: Wenzhe Zhou
Fix For: Impala 4.2.0
The following are the known CVEs in spring-core 5.3.18 (ref
https://mvnrepository.com/artifact/org.springframework/spring-core)
CVE-2022-22971 - In spring framework versions prior to 5.3.20+ , 5.2.22+ and
old unsupported versions, application with a STOMP over WebSocket endpoint is
vulnerable to a denial of service attack by an authenticated user.
CVE-2022-22968 - In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20,
and older unsupported versions, the patterns for disallowedFields on a
DataBinder are case sensitive which means a field is not effectively protected
unless it is listed with both upper and lower case for the first character of
the field, including upper and lower case for the first character of all nested
fields within the property path.
CVE-2022-22970 - In spring framework versions prior to 5.3.20+ , 5.2.22+ and
old unsupported versions, applications that handle file uploads are vulnerable
to DoS attack if they rely on data binding to set a MultipartFile or
javax.servlet.Part to a field in a model object.
Recommendation :
Upgrade to the latest non-vulnerable version
https://mvnrepository.com/artifact/org.springframework/spring-core
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
