[
https://issues.apache.org/jira/browse/HDDS-10815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ChenXi updated HDDS-10815:
--------------------------
Fix Version/s: 1.4.1
> Bump Spring Framework to 5.3.34
> -------------------------------
>
> Key: HDDS-10815
> URL: https://issues.apache.org/jira/browse/HDDS-10815
> Project: Apache Ozone
> Issue Type: Task
> Components: build
> Reporter: Rohit Kumar
> Assignee: Rohit Kumar
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.5.0, 1.4.1
>
>
> Upgrade Spring Framework to 5.3.34 due to CVE-2024-22243, CVE-2024-22259 and
> CVE-2024-22262
> CVE-2024-22243:- Applications that use {{UriComponentsBuilder}} to parse an
> externally provided URL (e.g. through a query parameter) _AND_ perform
> validation checks on the host of the parsed URL may be vulnerable to a [open
> redirect|https://cwe.mitre.org/data/definitions/601.html] attack or to a SSRF
> attack if the URL is used after passing validation checks.
> [https://spring.io/security/cve-2024-22243]
> [https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586]
> CVE-2024-22262:- Affected versions of this package are vulnerable to Open
> Redirect when {{UriComponentsBuilder}} is used to parse an externally
> provided URL and perform validation checks on the host of the parsed URL.
> [https://spring.io/security/cve-2024-22262]
> [https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980]
> CVE-2024-22259:- Affected versions of this package are vulnerable to Open
> Redirect when using {{UriComponentsBuilder}} to parse an externally provided
> {{URL}} and perform validation checks on the host of the parsed URL.
> [https://spring.io/security/cve-2024-22259]
> [https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
