fix(deps): update springversion [security] (major)#2942
Closed
renovate[bot] wants to merge 1 commit into
Closed
Conversation
3 tasks
bjagg
added a commit
that referenced
this pull request
Apr 27, 2026
Problem: Renovate keeps opening major-bump PRs (Spring 5/6, Spring Security 5+, Hibernate 5+) because the Maven Central versions newer than what we pin in gradle.properties show up as available, and [security] flags in those PRs amplify the noise. Each major is a coordinated migration we are not ready for, and we close them by hand every cycle. Recent examples: #2937, #2940, #2941, #2942. Goal: encode the migration constraints in renovate.json so Renovate stops offering majors that won't be merged. Stays consistent with the same pinning pattern applied across the portlet repos in the recent sweep (AnnouncementsPortlet, basiclti-portlet, FeedbackPortlet, NotificationPortlet, etc.). Changes: - renovate.json: add three packageRules entries with allowedVersions - org.springframework:* / .data:* / .webflow:* → < 5.0 (Spring 5+ requires a coordinated API migration; Spring 6+ adds Jakarta EE + Java 17 on top.) - org.springframework.security:* / .oauth:* → < 5.0 (Bound to the Spring Framework 4.3.x line; moves in lockstep.) - org.hibernate:* / org.hibernate.orm:* → < 5.0 (Hibernate 5+ has API + EntityManager changes; 6+ renames the groupId and needs Jakarta EE + Java 17.) Notes: did not pin Spring LDAP (2.x is current line, 2.4.4 bump in #2938 is a minor), Springfox (2.10.0 bump in #2935 is also a minor), or Guava (#2939 to v32 is plausible — resource-server already runs guava 32). These can flow through normally. Closes #2937, #2940 (duplicates). Closes #2941, #2942 (won't migrate this release). Refs #2938, #2935, #2939 (allowed to proceed normally).
Member
|
Closing — superseded by #2948 which pins Spring/Hibernate to |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.3.30.RELEASE→5.2.22.RELEASE4.3.30.RELEASE→5.2.20.RELEASE4.3.30.RELEASE→5.2.21.RELEASE4.3.30.RELEASE→6.0.0Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Remote Code Execution in Spring Framework
CVE-2022-22965 / GHSA-36p3-wjmg-h94x
More information
Details
Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as
Spring4Shell.Impact
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
These are the prerequisites for the exploit:
spring-webmvcorspring-webfluxdependencyPatches
Workarounds
For those who are unable to upgrade, leaked reports recommend setting
disallowedFieldsonWebDataBinderthrough an@ControllerAdvice. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller setsdisallowedFieldslocally through its own@InitBindermethod, which overrides the global setting.To apply the workaround in a more fail-safe way, applications could extend
RequestMappingHandlerAdapterto update theWebDataBinderat the end after all other initialization. In order to do that, a Spring Boot application can declare aWebMvcRegistrationsbean (Spring MVC) or aWebFluxRegistrationsbean (Spring WebFlux).Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Denial of service in Spring Framework
CVE-2022-22970 / GHSA-hh26-6xwr-ggv7
More information
Details
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Improper handling of case sensitivity in Spring Framework
CVE-2022-22968 / GHSA-g5mm-vmx4-3rg7
More information
Details
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path. Versions 5.3.19 and 5.2.21 contain a patch for this issue.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Pivotal Spring Framework contains unsafe Java deserialization methods
CVE-2016-1000027 / GHSA-4wrc-f8pq-fpqp
More information
Details
Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Spring Framework URL Parsing with Host Validation Vulnerability
CVE-2024-22259 / GHSA-hgjh-9rj2-g67j
More information
Details
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Spring Framework URL Parsing with Host Validation
CVE-2024-22262 / GHSA-2wrp-6fg6-hmc5
More information
Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Spring Framework DoS via conditional HTTP request
CVE-2024-38809 / GHSA-2rmj-mq67-h97g
More information
Details
Description
Applications that parse ETags from
If-MatchorIf-None-Matchrequest headers are vulnerable to DoS attack.Affected Spring Products and Versions
org.springframework:spring-web in versions
6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37
Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.
Users of older, unsupported versions could enforce a size limit on
If-MatchandIf-None-Matchheaders, e.g. through a Filter.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
spring-projects/spring-framework (org.springframework:spring-beans)
v5.2.22.RELEASE⭐ New Features
🐞 Bug Fixes
v5.2.21.RELEASE⭐ New Features
🐞 Bug Fixes
v5.2.20.RELEASE⭐ New Features
v5.2.19.RELEASE⭐ New Features
🐞 Bug Fixes
📔 Documentation
🔨 Dependency Upgrades
v5.2.18.RELEASE⭐ New Features
🐞 Bug Fixes
🔨 Dependency Upgrades
v5.2.17.RELEASE⭐ New Features
🐞 Bug Fixes
📔 Documentation
prepareTestInstance()is invoked when using theSpringMethodRule#27312🔨 Dependency Upgrades
v5.2.16.RELEASE⭐ New Features
🪲 Bug Fixes
📔 Documentation
@Transactionalexamples regarding method visibility #27005@Transactionaldocs regarding method visibility #27004@TransactionalEventListenerafter completion methods #26979🔨 Dependency Upgrades
v5.2.15.RELEASE⭐ New Features
🪲 Bug Fixes
@ModelAttribute(binding=false)is not honored with WebFlux #26888📔 Documentation
🔨 Dependency Upgrades
v5.2.14.RELEASE⭐ New Features
🪲 Bug Fixes
@DirtiesContextnot applied when class-level@EnabledIfevaluates to false #26697@CrossOriginmaxAge value should override global value #26620@Component#26584🔨 Dependency Upgrades
v5.2.13.RELEASE⭐ New Features
🪲 Bug Fixes
@Nullablevalue but throws NullPointerException #26277📔 Documentation
🔨 Dependency Upgrades
v5.2.12.RELEASE⭐ New Features
🪲 Bug Fixes
📔 Documentation
@Transactionaldoes not propagate to new threads #26102🔨 Dependency Upgrades
v5.2.11.RELEASE⭐ New Features
🪲 Bug Fixes
📔 Documentation
v5.2.10.RELEASE⭐ New Features
@RequestPartmultipart controllers with Servlet MockPart #25829🪲 Bug Fixes
@ActiveProfileswith same profiles but different order results in duplicate ApplicationContext #25973📔 Documentation
🔨 Dependency Upgrades
v5.2.9.RELEASE⭐ New Features
@FunctionalInterface#25571🪲 Bug Fixes
@RestControllerAdviceannotation attributes #25520@Beanmethod with name mismatch causes bean to be created twice (in case of ASM processing) #25263📔 Documentation
@RestControllerand Webflux #25596@Beanjavadoc and ConfigurationClassEnhancer #25590@RequestMapping#params #25482🔨 Dependency Upgrades
❤️ Contributors
We'd like to thank all the contributors who worked on this release!
v5.2.8.RELEASE⭐ New Features
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.