fix(deps): update dependency org.springframework:spring-webmvc to v5.3.18 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
org.springframework:spring-webmvc	5.3.15 -> 5.3.18

GitHub Vulnerability Alerts

CVE-2022-22965

Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code execution vulnerability known as Spring4Shell.

Impact

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

These are the prerequisites for the exploit:

• JDK 9 or higher
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc or spring-webflux dependency

Patches

• Spring Framework 5.3.18 and 5.2.20
• Spring Boot 2.6.6 and 2.5.12

Workarounds

For those who are unable to upgrade, leaked reports recommend setting disallowedFields on WebDataBinder through an @ControllerAdvice. This works generally, but as a centrally applied workaround fix, may leave some loopholes, in particular if a controller sets disallowedFields locally through its own @InitBinder method, which overrides the global setting.

To apply the workaround in a more fail-safe way, applications could extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. In order to do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux).

---

Release Notes

spring-projects/spring-framework (org.springframework:spring-webmvc)

v5.3.18

Compare Source

⭐ New Features

• Restrict access to property paths on Class references #​28261
• Introduce cancel(boolean mayInterruptIfRunning) in ScheduledTask #​28233

🐞 Bug Fixes

• Move off deprecated API in SessionTransactionData #​28234

📔 Documentation

• Introduce warnings in documentation of SerializationUtils #​28246
• Update copyright date in reference manual #​28237
• @Transactional test does not execute all JPA lifecycle callback methods #​28228

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​izeye
• @​quaff

v5.3.17

Compare Source

⭐ New Features

• Using DataClassRowMapper causes "No property found for column" debug messages in logs #​28179
• Improve diagnostics in SpEL for large array creation #​28145
• Support custom HTTP status in client-side REST testing support #​28105
• AsyncRestTemplate logging too verbose #​28049

🐞 Bug Fixes

• java.lang.NoClassDefFoundError: org/springframework/cglib/beans/BeanMapEmitter #​28110
• CronExpression fails to calculate properly next execution when running on the day of winter daylight saving time #​28095
• Private init/destroy method may be invoked twice #​28083
• MappingJacksonValue and Jackson2CodecSupport#registerObjectMappersForType do not work together #​28045
• SpEL fails to recover from error during MIXED mode compilation #​28043
• When returning a ResponseEntity with a Flux while the function is suspended, it fails to encode the body #​27809

📔 Documentation

• Improve documentation for @EnabledIf and @DisabledIf test support #​28157
• Links to Spring Security are broken in the reference guide #​28135
• Document that transaction rollback rules may result in unintentional matches #​28125
• Improve documentation for TestContext events #​27757
• Clarify behavior for generics support in BeanUtils.copyProperties #​27259

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.17 #​28064

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​gorisanson
• @​danthonywalker
• @​AzZureman

v5.3.16

Compare Source

⭐ New Features

• Deprecate SocketUtils #​28052
• Add convenience factory method for ManagedList, ManagedSet and ManagedMap #​28026
• Synthesized annotation toString() doesn't match non-synthesized annotation on Java 9+ #​28015
• Add support for strict JSON comparison in WebTestClient #​27993
• Improve log message when searching for default executor for async processing #​27983
• Inconsistent behaviour in spring-orm between EntityManagerFactoryUtils.closeEntityManager() and SessionFactoryUtils.closeSession() #​27972
• Spring AOP cannot generate proxy for lambda on Java 16+ #​27971
• RestTemplate reading Json prohibits JDK HttpClient connection reuse (keep-alive) #​27969
• Deprecate AsyncTaskExecutor.execute(Runnable task, long startTimeout) #​27959
• Add CacheErrorHandler implementation that logs exceptions rather than rethrowing them #​27826
• Support for CGLIB BeanMap utility on JDK 17 #​27802
• Avoid message listener recovery in case of persistence exceptions from external transaction manager #​1807

🐞 Bug Fixes

• Fix CronExpression fails to calculate next execution on the day of daylight saving time #​28044
• CronExpression fails to calculate next execution on the day of daylight saving time #​28038
• Using recursive annotations in Kotlin causes stack overflow #​28012
• Add formatting for SockJS close GoAway frame to prevent infinite loop for xhr-polling and xhr-streaming transport #​28000
• Reflective method invocation does not detect interface method when interface is declared in a subclass (e.g. HashMap.HashIterator.hasNext) #​27995
• ReflectionUtils.USER_DECLARED_METHODS does not filter methods declared in java.lang.Object #​27970
• CronExpression doesn't handle Quartz weekday of month expressions correctly #​27966
• ServletServerHttpRequest getHeaders() throws IllegalArgumentException instead of ignoring invalid content type / #​27957
• PropertySourcesPlaceholderConfigurer ignores ignoreUnresolvablePlaceholders flag #​27947
• Fix regression in BeanPropertyRowMapper regarding underscore name #​27941
• WebClient corrupts binary data when trying to upload many files #​27939
• Spring fails to determine XML is XSD-based if DOCTYPE appears in a comment #​27915
• ResourceHttpRequestHandler with PathPatternParser cannot resolve resources with a jsessionid URL #​27913

📔 Documentation

• Improve documentation for uri(URI) method in WebTestClient regarding base URI #​28058
• Polish reference docs (core) #​28004
• Fix ServletUriComponentsBuilder examples in ref docs #​27984
• Improve documentation for implementing AspectJ around advice #​27980
• Fix CaffeineCacheManager configuration in the documentation #​27967
• Fix Javadoc links to JSR 305 annotations #​27904
• Document how to register annotated classes with a GenericWebApplicationContext #​27778

🔨 Dependency Upgrades

• Upgrade to Reactor 2020.0.16 #​28039

❤️ Contributors

We'd like to thank all the contributors who worked on this release!

• @​wkwkhautbois
• @​arey
• @​izeye
• @​elgleidson
• @​An1s9n
• @​drewtul
• @​Drezir
• @​mgmeiner
• @​vikeychen
• @​zbykovskyi
• @​mdeinum
• @​shirohoo

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.