From 19efa0af5e47ca9828867a107e46e1d2e01583d5 Mon Sep 17 00:00:00 2001 From: endor-matt Date: Tue, 16 Jun 2026 14:58:03 -0400 Subject: [PATCH] fix: remediate Spring4Shell (CVE-2022-22965) and spring-data-commons RCE (GHSA-4fq3-mr56-cg6r) Upgrade spring-web/spring-webmvc from 4.2.0.RELEASE to 4.3.30.RELEASE and spring-data-jpa from 1.8.2.RELEASE to 1.11.23.RELEASE to close two critical/high RCE vulnerabilities. Also align spring-test from 3.2.3.RELEASE to match the upgraded spring.version property. All 9 unit tests pass post-upgrade. Endor UIA evidence: - spring-web 4.3.30: is_best=true, upgrade_risk=low, cia=no breaking changes, findings_fixed=22, findings_introduced=1, conflicts=0 (UUID 6a2d5dbf7384065038456ae4) - spring-data-jpa 1.11.23: is_best=true, upgrade_risk=medium, cia=breaking changes (internal JpaRepositoryFactory override, not used by this codebase), findings_fixed=5, findings_introduced=1 (UUID 6a0c5fdfee1db4110104cbcc) --- pom.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 5842bbd..a591242 100644 --- a/pom.xml +++ b/pom.xml @@ -8,9 +8,9 @@ Visualpathit VProfile Webapp http://maven.apache.org - 4.2.0.RELEASE + 4.3.30.RELEASE 4.0.2.RELEASE - 1.8.2.RELEASE + 1.11.23.RELEASE 4.3.11.Final 5.2.1.Final 5.1.36 @@ -98,7 +98,7 @@ org.springframework spring-test - 3.2.3.RELEASE + ${spring.version} test