Update dependency org.springframework:spring-web to v6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework:spring-web	5.3.31 -> 6.0.0

GitHub Vulnerability Alerts

CVE-2016-1000027

Pivotal Spring Framework before 6.0.0 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Maintainers recommend investigating alternative components or a potential mitigating control. Version 4.2.6 and 3.2.17 contain enhanced documentation advising users to take precautions against unsafe Java deserialization, version 5.3.0 deprecate the impacted classes and version 6.0.0 removed it entirely.

CVE-2024-22243

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

CVE-2024-22259

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.

CVE-2024-22262

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

CVE-2024-38809

Description

Applications that parse ETags from If-Match or If-None-Match request headers are vulnerable to DoS attack.

Affected Spring Products and Versions

org.springframework:spring-web in versions

6.1.0 through 6.1.11
6.0.0 through 6.0.22
5.3.0 through 5.3.37

Older, unsupported versions are also affected

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
6.1.x -> 6.1.12
6.0.x -> 6.0.23
5.3.x -> 5.3.38
No other mitigation steps are necessary.

Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-web)

v6.0.0

Compare Source

See What's New in Spring Framework 6.x and Upgrading to Spring Framework 6.x for upgrade instructions and details of new features.

⭐ New Features

• Avoid direct URL construction and URL equality checks #​29486
• Simplify creating RFC 7807 responses from functional endpoints #​29462
• Allow test classes to provide runtime hints via declarative mechanisms #​29455

📔 Documentation

• Align javadoc of DefaultParameterNameDiscoverer with its behavior #​29494
• Document AOT support in the TestContext framework #​29482
• Document Ahead of Time processing in the reference guide #​29350

🔨 Dependency Upgrades

• Upgrade to Reactor 2022.0.0 #​29465

❤️ Contributors

Thank you to all the contributors who worked on this release:

@​ophiuhus and @​wilkinsona

v5.3.39

Compare Source

⭐ New Features

• SimpleEvaluationContext should disable array allocation #​33386

v5.3.38

Compare Source

⭐ New Features

• Efficient handling of conditional HTTP requests #​33378

🐞 Bug Fixes

• Fix incorrect weak ETag validation #​33377
• SimpleEvaluationContext does not enforce read-only semantics #​33320
• ConversionService cannot convert primitive array to Object[] #​33314
• SpEL Indexer silently ignores failure to set property as index #​33312
• Mockito mock falsely initialized as CGLIB proxy with AspectJ aspect #​33142
• "file:." cannot be resolved to java.nio.file.Path (and plain "." value resolves to classpath root) #​33140

📔 Documentation

• Typo in Annotation-driven Listener Endpoints section of Spring Framework documentation #​33052
• Container Extension Points section of Spring Framework documentation refers to the wrong property name #​33039
• Incorrect constructor details in the javadoc for ApplicationContextEvent #​33034

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.47 #​33322

v5.3.37

Compare Source

⭐ New Features

• AnnotationUtils performance degrades with deep stacks #​32923

🐞 Bug Fixes

• AspectJ CTW aspects executed twice #​32974
• SpEL compilation fails when indexing into a Map with a primitive #​32911
• SpEL compilation fails when indexing into an array or list with an Integer #​32909
• Application not starting with @EnableTransactionManagement(mode = AdviceMode.ASPECTJ) #​32885

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.45 #​33010

v5.3.36

Compare Source

🐞 Bug Fixes

• Overridden aspect method runs twice #​32868
• @DateTimeFormat(iso = DateTimeFormat.ISO.DATE\_TIME) cannot convert UTC without milliseconds to java.util.Date #​32860
• Spring AOP fails against registered @Configurable aspect #​32840

v5.3.35

Compare Source

⭐ New Features

• Accept ajc-compiled @Aspect classes for Spring AOP proxy usage #​32818

🐞 Bug Fixes

• DeferredQueryInvocationHandler fails to unwrap QuerySqmImpl class outside of transaction #​32770
• MergedAnnotations search does not find container for repeatable annotation #​32751
• AnnotationConfigWebApplicationContext should propagate ApplicationStartup to BeanFactory #​32749
• Ignore non-String keys in PropertiesPropertySource.getPropertyNames() #​32744
• "multiple subscribers not supported" when using WebClient exchange #​32728
• Deadlock/Stall in ConcurrentWebSocketSessionDecorator with Undertow 2.3.10 #​32698

📔 Documentation

• Correct documentation on streaming with MockMvcWebTestClient #​32723
• Update links to HttpOnly documentation at OWASP in ResponseCookie #​32668

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.44 #​32788

v5.3.34

Compare Source

⭐ New Features

• Log column type for limited support message in JdbcUtils.getResultSetValue #​32603
• Avoid additional unnecessary Annotation array cloning in TypeDescriptor #​32477
• Avoid cloning empty Annotation array in TypeDescriptor #​32466

🐞 Bug Fixes

• Refine scheme, userinfo, host and port parsing in UriComponentsBuilder #​32618
• MethodIntrospector.selectMethods() fails to detect bridge methods across ApplicationContexts #​32588
• JmsUtils.commitIfNecessary catches and ignores JMS IllegalStateException, losing message with ActiveMQ Artemis #​32480
• Consistently apply TaskDecorator to ManagedExecutorService as well #​32457

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.43 #​32594

v5.3.33

Compare Source

⭐ New Features

• Extract reusable method for URI validations #​32442
• Allow UriTemplate to be built with an empty template #​32438
• Refine *HttpMessageConverter#getContentLength return value null safety #​32332

🐞 Bug Fixes

• AopUtils.getMostSpecificMethod does not return original method for proxy-derived method anymore #​32369
• Better protect against concurrent error handling for async requests #​32342
• Restore Jetty 10 compatibility in JettyClientHttpResponse #​32337
• ContentCachingResponseWrapper no longer honors Content-Type and Content-Length #​32322

📔 Documentation

• Build KDoc against 5.3.x Spring Framework Javadoc #​32414

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.42 #​32422

v5.3.32

Compare Source

⭐ New Features

• Add CORS support for Private Network Access #​31974
• Avoid early getMostSpecificMethod resolution in CommonAnnotationBeanPostProcessor #​31969

🐞 Bug Fixes

• Consistent parsing of user information in UriComponentsBuilder #​32247
• QualifierAnnotationAutowireCandidateResolver.checkQualifier does identity checks when comparing arrays used as qualifier fields #​32108
• Guard against multiple body subscriptions in Jetty and JDK reactive responses #​32101
• Static resources caching issues with ShallowEtagHeaderFilter and Jetty caching directives #​32051
• ChannelSendOperator.WriteBarrier race condition in request(long) method leads to response being dropped #​32021
• Spring AOP does not propagate arguments for dynamic prototype-scoped advice #​31964
• MergedAnnotation swallows IllegalAccessException for attribute method #​31961
• CronTrigger hard-codes default ZoneId instead of participating in scheduler-wide Clock setup #​31950
• MergedAnnotations finds duplicate annotations on method in multi-level interface hierarchy #​31825
• PathEditor cannot handle absolute Windows paths with forward slashes #​31728
• Include Hibernate's Query.scroll() in SharedEntityManagerCreator's queryTerminatingMethods set #​31684
• TypeDescriptor does not check generics in equals method (for ConversionService caching) #​31674
• Slow SpEL performance due to method sorting in ReflectiveMethodResolver #​31665
• Jackson encoder releases resources in wrong order #​31657
• WebSocketMessageBrokerStats has null stats for stompSubProtocolHandler since 5.3.2 #​31642

📔 Documentation

• Document cron-vs-quartz parsing convention for dayOfWeek part in CronExpression #​32131

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.41 #​32276

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.