[
https://issues.apache.org/jira/browse/IMPALA-11639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wenzhe Zhou resolved IMPALA-11639.
----------------------------------
Target Version: Impala 4.2.0
Resolution: Fixed
> Upgrade Spring Framework to 5.3.20 due to multiple CVEs
> -------------------------------------------------------
>
> Key: IMPALA-11639
> URL: https://issues.apache.org/jira/browse/IMPALA-11639
> Project: IMPALA
> Issue Type: Task
> Components: Frontend
> Affects Versions: Impala 4.1.0
> Reporter: Wenzhe Zhou
> Assignee: Wenzhe Zhou
> Priority: Major
> Fix For: Impala 4.2.0
>
>
> The following are the known CVEs in spring-core 5.3.18 (ref
> https://mvnrepository.com/artifact/org.springframework/spring-core)
> CVE-2022-22971 - In spring framework versions prior to 5.3.20+ , 5.2.22+ and
> old unsupported versions, application with a STOMP over WebSocket endpoint is
> vulnerable to a denial of service attack by an authenticated user.
> CVE-2022-22968 - In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20,
> and older unsupported versions, the patterns for disallowedFields on a
> DataBinder are case sensitive which means a field is not effectively
> protected unless it is listed with both upper and lower case for the first
> character of the field, including upper and lower case for the first
> character of all nested fields within the property path.
> CVE-2022-22970 - In spring framework versions prior to 5.3.20+ , 5.2.22+ and
> old unsupported versions, applications that handle file uploads are
> vulnerable to DoS attack if they rely on data binding to set a MultipartFile
> or javax.servlet.Part to a field in a model object.
> Recommendation :
> Upgrade to the latest non-vulnerable version
> https://mvnrepository.com/artifact/org.springframework/spring-core
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
