[
https://issues.apache.org/jira/browse/NIFI-11478?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Pierre Villard updated NIFI-11478:
----------------------------------
Fix Version/s: 2.0.0
1.22.0
(was: 1.latest)
(was: 2.latest)
Resolution: Fixed
Status: Resolved (was: Patch Available)
> Upgrade Spring Framework to 5.3.27 and Spring Security to 5.8.3
> ---------------------------------------------------------------
>
> Key: NIFI-11478
> URL: https://issues.apache.org/jira/browse/NIFI-11478
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework, MiNiFi, NiFi Registry, Security
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Labels: dependency-upgrade
> Fix For: 2.0.0, 1.22.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Spring Framework 5.3.26 and earlier contain a Spring Expression Language
> vulnerability described in
> [CVE-2023-20863|https://spring.io/security/cve-2023-20863].
> Spring Security 5.8.2 and earlier contain a Security Context logout
> vulnerability described in
> [CVE-2023-20862|https://spring.io/security/cve-2023-20862].
> Spring Framework
> [5.3.27|https://github.com/spring-projects/spring-framework/releases/tag/v5.3.27]
> resolves CVE-2023-20863 and Spring Security
> [5.8.3|https://github.com/spring-projects/spring-security/releases/tag/5.8.3]
> resolves CVE-2023-20862.
> Spring Boot 2.7.11 incorporates these upgrades and should be updated for
> Registry.
> Framework components do not use Spring Expression Language and do not use
> HTTP sessions for persisting Security Context information.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
