[Security] Bump spring.version from 2.5.6.SEC03 to 5.1.4.RELEASE

[dependabot-preview]

Bumps spring.version from 2.5.6.SEC03 to 5.1.4.RELEASE.

Updates spring-webmvc from 2.5.6.SEC03 to 5.1.4.RELEASE. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Sonatype OSS Index.

[CVE-2016-9878] Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Affected versions: [1.2.1, 3.1.4]; [3.2.0, 3.2.18); [4.2.0, 4.2.9); [4.3.0, 4.3.5)

Release notes

Sourced from spring-webmvc's releases.

4.3.11 Release

⭐ New Features

• [**Lazy**](https://github.com/Lazy) collection of optional elements should not crash when no candidates are found [SPR-15858] #20413
• WebAsyncManager should cancel task thread on timeout [SPR-15852] #20407
• Consistent logging in Environment and PropertySource implementations [SPR-15825] #20380

🪲 Bug Fixes

• StompDecoder Logs Null Session IDs for Heartbeats [SPR-15937] #20491
• Error on type argument constraint validation failure [SPR-15916] #20470
• StringIndexOutOfBoundsException from RestTemplate.doExecute IOException handler when query string is empty [SPR-15900] #20454
• SimpleAsyncTaskExecutor not respect ConcurrencyThrottleSupport.NO_CONCURRENCY limit [SPR-15895] #20449
• Should call getNativeResponse() instead of getNativeRequest() in FrameworkServlet [SPR-15867] #20422
• Unable to use Hibernate Validator 4.3.2 if Bean Validation API 1.1 is on the classpath [SPR-15856] #20411
• SimpleApplicationEventMulticaster does not deal with lambda-defined listeners when ErrorHandler is set [SPR-15838] #20393
• spring-aspects should remain on AspectJ 1.8.9 by default (since aspectjrt 1.8.10 requires Java 7+) [SPR-15836] #20391
• Parameter values are null when making a PUT request [SPR-15828] #20383
• Follow-up: AbstractMethodError when calling validated method of MethodValidationPostProcessor is using a [**Lazy**](https://github.com/Lazy) validator [SPR-15807] #20362
• Logs fill with broken pipe when using SockJS [SPR-15802] #20357
• Invalid WARN when returning a BeanDefinitionRegistryPostProcessor from within a [**Configuration**](https://github.com/Configuration) class [SPR-14603] #19172

4.3.10 Release

⭐ New Features

• Ignore (Auto)Closeable for interface-based proxy decision [SPR-15779] #20334
• Bean factory method collision with configuration class name gives unclear error message [SPR-15775] #20330
• CustomizableTraceInterceptor should allow INVOCATION_TIME placeholder in setExceptionMessage and make stack trace logging configurable [SPR-15763] #20318
• LinkedCaseInsensitiveMap cannot access locale from subclass [SPR-15752] #20307
• ForwardedHeaderFilter should expose option for not converting relative redirects to absolute ones [SPR-15717] #20273
• AbstractValueAdaptingCache does not allow for flexible null value serialization [SPR-15693] #20252
• Fine-tune HTTP/RMI Invoker exception handling [SPR-15684] #20243
• Support CachingHttpAsyncClient from httpasyncclient-cache in HttpComponentsAsyncClientHttpRequestFactory [SPR-15664] #20223
• Cron expression validation method in CronSequenceGenerator improved [SPR-15604] #20163
• Upgrade to Objenesis 2.6 for Google App Engine Standard on Java 8 and for better JDK 9 support [SPR-15600] #20159

🪲 Bug Fixes

• UriUtils.extractFileExtension() does not properly handle all fragments [SPR-15786] #20341
• PropertyOrFieldReference invalidly reuses cached PropertyAccessor [SPR-15769] #20324
• ClassCastException during deserialization of ScopedObject [SPR-15766] #20321
• AbstractJackson2HttpMessageConverter throws exception if log level is ERROR [SPR-15760] #20315
• ReflectionTestUtils accidentally requires spring-aop on the classpath [SPR-15757] #20312
• MockMvc duplicates PUT Parameter value [SPR-15753] #20308
• JSP tags doesn't pick up JSTL-defined time zone at page level [SPR-15746] #20302
• JMS Integration with Tibco causes deadlock while using DefaultMessageListenerContainer [SPR-15738] #20294
• Memory Leak due to not pruning factoryBeanObjectCache when closing the ApplicationContext [SPR-15722] #20278
• WebAsyncManager is not compatible with the crosscontext mode [SPR-15709] #20266
• Netty4ClientHttpRequest does not include port along with host [SPR-15706] #20263
• [**EventListener**](https://github.com/EventListener)'s 'condition' doesn't work as expected with proxied beans [SPR-15678] #20237

... (truncated)

Commits

• See full diff in compare view

Updates spring-core from 2.5.6.SEC03 to 5.1.4.RELEASE. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Sonatype OSS Index.

[CVE-2016-9878] Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Affected versions: (, 3.2.0]; [3.2.1, 3.2.17]; [4.2.0, 4.2.8]; [4.3.0, 4.3.4]

Sourced from The Sonatype OSS Index.

[CVE-2013-4152] Permissions, Privileges, and Access Controls
The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Affected versions: (, 3.2.3]; 4.0.0-m1

Sourced from The Sonatype OSS Index.

[CVE-2014-0054] Cross-Site Request Forgery (CSRF)
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Affected versions: (, 3.2.7]; [4.0.0-m1, 4.0.0-m2]; 4.0.0-rc1; 4.0.1

Sourced from The Sonatype OSS Index.

[CVE-2011-2730] null
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection."

Affected versions: (, 2.5.7-sr01]; (, 3.0.5]

Sourced from The Sonatype OSS Index.

[CVE-2010-1622] Improper Control of Generation of Code ("Code Injection")
SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Affected versions: [2.5.0, 2.5.7]; [3.0.0, 3.0.2]

Sourced from The Sonatype OSS Index.

[CVE-2013-7315] Permissions, Privileges, and Access Controls
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Affected versions: (, 3.2.3]; [4.0.0-m1, 4.0.0-m2]

Sourced from The Sonatype OSS Index.

[CVE-2013-6429] Permissions, Privileges, and Access Controls
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Affected versions: (, 3.2.4]; [4.0.0-m1, 4.0.0-m2]; 4.0.0-rc1

Sourced from The Sonatype OSS Index.

[CVE-2018-1270] Improperly Implemented Security Check for Standard
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Affected versions: (, 4.2.9]; [4.3.0, 4.3.15); [5.0.0, 5.0.5)

Sourced from The Sonatype OSS Index.

[CVE-2018-1271] Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Affected versions: (, 4.2.9]; [4.3.0, 4.3.15); [5.0.0, 5.0.5)

Sourced from The Sonatype OSS Index.

[CVE-2018-1272] Permissions, Privileges, and Access Controls
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Affected versions: (, 4.2.9]; [4.3.0, 4.3.15); [5.0.0, 5.0.5)

Release notes

Sourced from spring-core's releases.

4.3.11 Release

⭐ New Features

• [**Lazy**](https://github.com/Lazy) collection of optional elements should not crash when no candidates are found [SPR-15858] #20413
• WebAsyncManager should cancel task thread on timeout [SPR-15852] #20407
• Consistent logging in Environment and PropertySource implementations [SPR-15825] #20380

🪲 Bug Fixes

• StompDecoder Logs Null Session IDs for Heartbeats [SPR-15937] #20491
• Error on type argument constraint validation failure [SPR-15916] #20470
• StringIndexOutOfBoundsException from RestTemplate.doExecute IOException handler when query string is empty [SPR-15900] #20454
• SimpleAsyncTaskExecutor not respect ConcurrencyThrottleSupport.NO_CONCURRENCY limit [SPR-15895] #20449
• Should call getNativeResponse() instead of getNativeRequest() in FrameworkServlet [SPR-15867] #20422
• Unable to use Hibernate Validator 4.3.2 if Bean Validation API 1.1 is on the classpath [SPR-15856] #20411
• SimpleApplicationEventMulticaster does not deal with lambda-defined listeners when ErrorHandler is set [SPR-15838] #20393
• spring-aspects should remain on AspectJ 1.8.9 by default (since aspectjrt 1.8.10 requires Java 7+) [SPR-15836] #20391
• Parameter values are null when making a PUT request [SPR-15828] #20383
• Follow-up: AbstractMethodError when calling validated method of MethodValidationPostProcessor is using a [**Lazy**](https://github.com/Lazy) validator [SPR-15807] #20362
• Logs fill with broken pipe when using SockJS [SPR-15802] #20357
• Invalid WARN when returning a BeanDefinitionRegistryPostProcessor from within a [**Configuration**](https://github.com/Configuration) class [SPR-14603] #19172

4.3.10 Release

⭐ New Features

• Ignore (Auto)Closeable for interface-based proxy decision [SPR-15779] #20334
• Bean factory method collision with configuration class name gives unclear error message [SPR-15775] #20330
• CustomizableTraceInterceptor should allow INVOCATION_TIME placeholder in setExceptionMessage and make stack trace logging configurable [SPR-15763] #20318
• LinkedCaseInsensitiveMap cannot access locale from subclass [SPR-15752] #20307
• ForwardedHeaderFilter should expose option for not converting relative redirects to absolute ones [SPR-15717] #20273
• AbstractValueAdaptingCache does not allow for flexible null value serialization [SPR-15693] #20252
• Fine-tune HTTP/RMI Invoker exception handling [SPR-15684] #20243
• Support CachingHttpAsyncClient from httpasyncclient-cache in HttpComponentsAsyncClientHttpRequestFactory [SPR-15664] #20223
• Cron expression validation method in CronSequenceGenerator improved [SPR-15604] #20163
• Upgrade to Objenesis 2.6 for Google App Engine Standard on Java 8 and for better JDK 9 support [SPR-15600] #20159

🪲 Bug Fixes

• UriUtils.extractFileExtension() does not properly handle all fragments [SPR-15786] #20341
• PropertyOrFieldReference invalidly reuses cached PropertyAccessor [SPR-15769] #20324
• ClassCastException during deserialization of ScopedObject [SPR-15766] #20321
• AbstractJackson2HttpMessageConverter throws exception if log level is ERROR [SPR-15760] #20315
• ReflectionTestUtils accidentally requires spring-aop on the classpath [SPR-15757] #20312
• MockMvc duplicates PUT Parameter value [SPR-15753] #20308
• JSP tags doesn't pick up JSTL-defined time zone at page level [SPR-15746] #20302
• JMS Integration with Tibco causes deadlock while using DefaultMessageListenerContainer [SPR-15738] #20294
• Memory Leak due to not pruning factoryBeanObjectCache when closing the ApplicationContext [SPR-15722] #20278
• WebAsyncManager is not compatible with the crosscontext mode [SPR-15709] #20266
• Netty4ClientHttpRequest does not include port along with host [SPR-15706] #20263
• [**EventListener**](https://github.com/EventListener)'s 'condition' doesn't work as expected with proxied beans [SPR-15678] #20237

... (truncated)

Commits

• See full diff in compare view

Updates spring-aop from 2.5.6.SEC03 to 5.1.4.RELEASE

Release notes

Sourced from spring-aop's releases.

4.3.11 Release

⭐ New Features

• [**Lazy**](https://github.com/Lazy) collection of optional elements should not crash when no candidates are found [SPR-15858] #20413
• WebAsyncManager should cancel task thread on timeout [SPR-15852] #20407
• Consistent logging in Environment and PropertySource implementations [SPR-15825] #20380

🪲 Bug Fixes

• StompDecoder Logs Null Session IDs for Heartbeats [SPR-15937] #20491
• Error on type argument constraint validation failure [SPR-15916] #20470
• StringIndexOutOfBoundsException from RestTemplate.doExecute IOException handler when query string is empty [SPR-15900] #20454
• SimpleAsyncTaskExecutor not respect ConcurrencyThrottleSupport.NO_CONCURRENCY limit [SPR-15895] #20449
• Should call getNativeResponse() instead of getNativeRequest() in FrameworkServlet [SPR-15867] #20422
• Unable to use Hibernate Validator 4.3.2 if Bean Validation API 1.1 is on the classpath [SPR-15856] #20411
• SimpleApplicationEventMulticaster does not deal with lambda-defined listeners when ErrorHandler is set [SPR-15838] #20393
• spring-aspects should remain on AspectJ 1.8.9 by default (since aspectjrt 1.8.10 requires Java 7+) [SPR-15836] #20391
• Parameter values are null when making a PUT request [SPR-15828] #20383
• Follow-up: AbstractMethodError when calling validated method of MethodValidationPostProcessor is using a [**Lazy**](https://github.com/Lazy) validator [SPR-15807] #20362
• Logs fill with broken pipe when using SockJS [SPR-15802] #20357
• Invalid WARN when returning a BeanDefinitionRegistryPostProcessor from within a [**Configuration**](https://github.com/Configuration) class [SPR-14603] #19172

4.3.10 Release

⭐ New Features

• Ignore (Auto)Closeable for interface-based proxy decision [SPR-15779] #20334
• Bean factory method collision with configuration class name gives unclear error message [SPR-15775] #20330
• CustomizableTraceInterceptor should allow INVOCATION_TIME placeholder in setExceptionMessage and make stack trace logging configurable [SPR-15763] #20318
• LinkedCaseInsensitiveMap cannot access locale from subclass [SPR-15752] #20307
• ForwardedHeaderFilter should expose option for not converting relative redirects to absolute ones [SPR-15717] #20273
• AbstractValueAdaptingCache does not allow for flexible null value serialization [SPR-15693] #20252
• Fine-tune HTTP/RMI Invoker exception handling [SPR-15684] #20243
• Support CachingHttpAsyncClient from httpasyncclient-cache in HttpComponentsAsyncClientHttpRequestFactory [SPR-15664] #20223
• Cron expression validation method in CronSequenceGenerator improved [SPR-15604] #20163
• Upgrade to Objenesis 2.6 for Google App Engine Standard on Java 8 and for better JDK 9 support [SPR-15600] #20159

🪲 Bug Fixes

• UriUtils.extractFileExtension() does not properly handle all fragments [SPR-15786] #20341
• PropertyOrFieldReference invalidly reuses cached PropertyAccessor [SPR-15769] #20324
• ClassCastException during deserialization of ScopedObject [SPR-15766] #20321
• AbstractJackson2HttpMessageConverter throws exception if log level is ERROR [SPR-15760] #20315
• ReflectionTestUtils accidentally requires spring-aop on the classpath [SPR-15757] #20312
• MockMvc duplicates PUT Parameter value [SPR-15753] #20308
• JSP tags doesn't pick up JSTL-defined time zone at page level [SPR-15746] #20302
• JMS Integration with Tibco causes deadlock while using DefaultMessageListenerContainer [SPR-15738] #20294
• Memory Leak due to not pruning factoryBeanObjectCache when closing the ApplicationContext [SPR-15722] #20278
• WebAsyncManager is not compatible with the crosscontext mode [SPR-15709] #20266
• Netty4ClientHttpRequest does not include port along with host [SPR-15706] #20263
• [**EventListener**](https://github.com/EventListener)'s 'condition' doesn't work as expected with proxied beans [SPR-15678] #20237

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

Superseded by #25.