[jira] [Created] (NIFI-11478) Upgrade Spring Framework to 5.3.27 and Spring Security to 5.8.3

Fri, 21 Apr 2023 09:38:04 -0700 

David Handermann created NIFI-11478:
---------------------------------------

             Summary: Upgrade Spring Framework to 5.3.27 and Spring Security to 
5.8.3
                 Key: NIFI-11478
                 URL: https://issues.apache.org/jira/browse/NIFI-11478
             Project: Apache NiFi
          Issue Type: Improvement
          Components: Core Framework, MiNiFi, NiFi Registry, Security
            Reporter: David Handermann
            Assignee: David Handermann


Spring Framework 5.3.26 and earlier contain a Spring Expression Language 
vulnerability described in 
[CVE-2023-20863|https://spring.io/security/cve-2023-20863].

Spring Security 5.8.2 and earlier contain a Security Context logout 
vulnerability described in 
[CVE-2023-20862|https://spring.io/security/cve-2023-20862].

Spring Framework 
[5.3.27|https://github.com/spring-projects/spring-framework/releases/tag/v5.3.27]
 resolves CVE-2023-20863 and Spring Security 
[5.8.3|https://github.com/spring-projects/spring-security/releases/tag/5.8.3] 
resolves CVE-2023-20862.

Spring Boot 2.7.11 incorporates these upgrades and should be updated for 
Registry.

Framework components do not use Spring Expression Language and do not use HTTP 
sessions for persisting Security Context information.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to