Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Update dependencies for the maint-11 branch

Description

To address CVE-2023-20861 and CVE-2023-20860.

The remote host contains a Spring Framework version is affected by a denial of service (DoS) vulnerability. It is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host contains a Spring Framework version is affected by a security bypass vulnerability. Using ** as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Environment

None

Activity

Ian YoungMarch 19, 2024 at 11:38 AM

As reported in mail, I reckon this is done, with Spring Framework in particular at 5.3.33.

All other patch-level updates have been done with minor exceptions:

  • `cryptacular` 1.2.5 to 1.2.6 requires a newer BouncyCastle which I didn't want to futz with.

  • hibernate-core 5.4.30.Final to 5.4.33: key issues

  • Test dependencies in general.

    • hsqldb 2.7.1 to 2.7.2

    • testng

    • xmlunit

  • Major and minor updates. This includes Guava and Bouncy Castle:

    • BouncyCastle 1.72 to 1.76 in particular as I recall there's a compatibility issue somewhere in that region.

Scott CantorMarch 14, 2024 at 4:38 PM

We will be patching the IdP after all for a different Spring issue, so this will be addressed. Moving this over to the parent project.

Scott CantorFebruary 5, 2024 at 1:48 PM

The advisories page is where we explicitly note what we have reviewed and whether it’s relevant or not. If it’s not noted there, we don’t necessarily know about it.

The branch is not current, but will be if/when we issue a release.

jason pyeronFebruary 5, 2024 at 1:43 PM
Edited

Thanks I did check the advisories page first, did not see anything about it - because “no relevance for us”.

Feel free to won't fix then. I was unable to trace through the code to confirm that these Spring features are not used.

jason pyeronFebruary 5, 2024 at 1:41 PM

Looking at , I see the parent pom AND the local pom are updated.

Chasing the dragon on CVEs - should be 5.3.31

See: and

Details

Assignee

Reporter

Fix versions

Created February 5, 2024 at 1:16 PM
Updated March 19, 2024 at 11:38 AM