[jira] [Updated] (HDDS-10815) Bump Spring Framework to 5.3.34

Mon, 06 May 2024 05:57:07 -0700 


     [ 
https://issues.apache.org/jira/browse/HDDS-10815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Doroszlai updated HDDS-10815:
------------------------------------
    Summary: Bump Spring Framework to 5.3.34  (was: Upgrade Spring Framework to 
6.1.6/6.0.19/5.3.34 due to CVEs)

> Bump Spring Framework to 5.3.34
> -------------------------------
>
>                 Key: HDDS-10815
>                 URL: https://issues.apache.org/jira/browse/HDDS-10815
>             Project: Apache Ozone
>          Issue Type: Task
>          Components: build
>            Reporter: Rohit Kumar
>            Assignee: Rohit Kumar
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.5.0
>
>
> Upgrade Spring Framework to 6.1.6/6.0.19/5.3.34 due to CVE-2024-22243, 
> CVE-2024-22259 and CVE-2024-22262
> CVE-2024-22243:- Applications that use {{UriComponentsBuilder}} to parse an 
> externally provided URL (e.g. through a query parameter) _AND_ perform 
> validation checks on the host of the parsed URL may be vulnerable to a [open 
> redirect|https://cwe.mitre.org/data/definitions/601.html] attack or to a SSRF 
> attack if the URL is used after passing validation checks.
> [https://spring.io/security/cve-2024-22243] 
> [https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586] 
> CVE-2024-22262:- Affected versions of this package are vulnerable to Open 
> Redirect when {{UriComponentsBuilder}} is used to parse an externally 
> provided URL and perform validation checks on the host of the parsed URL.
> [https://spring.io/security/cve-2024-22262] 
> [https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980] 
> CVE-2024-22259:- Affected versions of this package are vulnerable to Open 
> Redirect when using {{UriComponentsBuilder}} to parse an externally provided 
> {{URL}} and perform validation checks on the host of the parsed URL.
> [https://spring.io/security/cve-2024-22259] 
> [https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790] 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to