fix(deps): update maven#170
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
force-pushed
the
renovate-main/maven
branch
6 times, most recently
from
c748009 to
8637d76
Compare
renovate
Bot
force-pushed
the
renovate-main/maven
branch
2 times, most recently
from
f1abd7d to
a2a4f1a
Compare
renovate
Bot
force-pushed
the
renovate-main/maven
branch
2 times, most recently
from
fe963b2 to
9b7fe59
Compare
renovate
Bot
force-pushed
the
renovate-main/maven
branch
2 times, most recently
from
a9cb2a1 to
85dfc90
Compare
renovate
Bot
force-pushed
the
renovate-main/maven
branch
2 times, most recently
from
bc53f13 to
fbef516
Compare
renovate
Bot
force-pushed
the
renovate-main/maven
branch
from
fbef516 to
d3376fa
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.3.23.Final→2.3.24.Final1.3.3→1.3.53.8.3→3.8.52.21.0→2.21.21.18.42→1.18.463.8.3→3.8.52.12.5→2.12.62.20.2→2.21.24.0.3→4.0.67.0.5→7.0.77.0.3→7.0.57.0.3→7.0.57.0.3→7.0.54.0.3→4.0.67.0.5→7.0.77.0.5→7.0.77.0.5→7.0.77.0.5→7.0.77.0.5→7.0.77.0.5→7.0.77.0.5→7.0.74.0.3→4.0.64.0.3→4.0.64.0.3→4.0.64.0.3→4.0.64.0.3→4.0.64.0.3→4.0.64.0.3→4.0.64.0.3→4.0.64.0.3→4.0.63.1.2.Final→3.2.1.Final2.25.3→2.25.4Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
Spring Security Vulnerable to User Attribute Enumeration when Using DaoAuthenticationProvider
CVE-2026-22746 / GHSA-vxf7-qj7q-83fh
More information
Details
Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked. This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring Security Core has a TOCTOU race condition when One-Time Token login with JdbcOneTimeTokenService is configured
CVE-2026-22751 / GHSA-x2wq-9x2f-fhj7
More information
Details
Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring Framework Improper Path Limitation with Script View Templates
CVE-2026-22737 / GHSA-4773-3jfm-qmx3
More information
Details
Use of Java scripting engine enabled (e.g. JRuby, Jython) template views in Spring MVC and Spring WebFlux applications can result in disclosure of content from files outside the configured locations for script template views. This issue affects Spring Framework: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring MVC and WebFlux has Server Sent Event stream corruption
CVE-2026-22735 / GHSA-6hcq-hmm3-jj3c
More information
Details
Spring MVC and WebFlux applications are vulnerable to stream corruption when using Server-Sent Events (SSE). This issue affects Spring Foundation: from 7.0.0 through 7.0.5, from 6.2.0 through 6.2.16, from 6.1.0 through 6.1.25, from 5.3.0 through 5.3.46.
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources
CVE-2026-22745 / GHSA-6p4f-wcwh-5vvm
More information
Details
Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources.
More precisely, an application can be vulnerable when all the following are true:
When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
CVE-2026-22741 / GHSA-wg35-8jpf-2xv3
More information
Details
Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources.
More precisely, an application can be vulnerable when all the following are true:
When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring Boot's default security filter chain has no authorization rule with Actuator but without Health
CVE-2026-40976 / GHSA-8v8j-3hxp-93wr
More information
Details
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable.
Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Spring Boot accepts predictable temp directory without ownership verification
CVE-2026-40973 / GHSA-wwpq-f5c3-7hvx
More information
Details
A local attacker on the same host as the application may be able to take control of the directory used by
ApplicationTemp. Whenserver.servlet.session.persistentis set totrueand the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user.Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory /
ApplicationTempownership verification. Versions that are no longer supported are also affected per vendor advisory.Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
CVE-2026-34480 / GHSA-3pxv-7cmr-fjr4
More information
Details
Apache Log4j Core's
XmlLayout, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output whenever a log message or MDC value contains such characters.The impact depends on the StAX implementation in use:
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core: log injection in
Rfc5424Layoutdue to silent configuration incompatibilityCVE-2026-34478 / GHSA-445c-vh5m-36rj
More information
Details
Apache Log4j Core's
Rfc5424Layout, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
newLineEscapeattribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.useTlsMessageFormatattribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.Users of the
SyslogAppenderare not affected, as its configuration attributes were not modified.Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core:
verifyHostNameattribute silently ignored in TLS configurationCVE-2026-34477 / GHSA-6hg6-v5c8-fphq
More information
Details
The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the
log4j2.sslVerifyHostNamesystem property, but not when configured through theverifyHostNameattribute of the<Ssl>element.Although the
verifyHostNameconfiguration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:
This issue does not affect users of the HTTP appender, which uses a separate
verifyHostnameattribute that was not subject to this bug and verifies host names by default.Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters
CVE-2026-34480 / GHSA-3pxv-7cmr-fjr4
More information
Details
Apache Log4j Core's
XmlLayout, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification, producing invalid XML output whenever a log message or MDC value contains such characters.The impact depends on the StAX implementation in use:
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core: log injection in
Rfc5424Layoutdue to silent configuration incompatibilityCVE-2026-34478 / GHSA-445c-vh5m-36rj
More information
Details
Apache Log4j Core's
Rfc5424Layout, in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
newLineEscapeattribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.useTlsMessageFormatattribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.Users of the
SyslogAppenderare not affected, as its configuration attributes were not modified.Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Apache Log4j Core:
verifyHostNameattribute silently ignored in TLS configurationCVE-2026-34477 / GHSA-6hg6-v5c8-fphq
More information
Details
The fix for CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the
log4j2.sslVerifyHostNamesystem property, but not when configured through theverifyHostNameattribute of the<Ssl>element.Although the
verifyHostNameconfiguration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:
This issue does not affect users of the HTTP appender, which uses a separate
verifyHostnameattribute that was not subject to this bug and verifies host names by default.Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Severity
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
undertow-io/undertow (io.undertow:undertow-servlet)
v2.3.24.FinalCompare Source
reactor/reactor-netty (io.projectreactor.netty:reactor-netty)
v1.3.5Compare Source
Reactor Netty1.3.5is part of2025.0.5Release Train.What's Changed
✨ New features and improvements
Reactor Corev3.8.5by @violetagg inb68daca, see release notesNettyv4.2.12.Finalby @violetagg in #4167Netty QUIC Codecv0.0.75.Finalby @violetagg in #4148Bravev6.3.1by @dependabot[bot] in #4159uriconstruction withbaseUrlinHttpClientHandlerby @violetagg in #4130UriEndpoint#toSocketAddressStringWithoutDefaultPortby @violetagg in #4131SocketAddressinUriEndpointfor absolute URLs by @violetagg in #4132HttpClientOperations#resourceUrlby @violetagg in #4135pathinUriEndpointwhenURIis provided by @violetagg in #4136HTTP/2WebSocketextension handlers by @violetagg in #4152Fluxbody accumulation forGET/HEAD/DELETErequests by @violetagg in #4164HTTP/3connection pool max streams handling by @violetagg in #4182🐞 Bug fixes
StackOverflowErrorinServerTransportgraceful shutdown by @violetagg in #4181Http2Poolby @violetagg in #4180New Contributors
Full Changelog: reactor/reactor-netty@v1.3.4...v1.3.5
v1.3.4Compare Source
Reactor Netty1.3.4is part of2025.0.4Release Train.What's Changed
✨ New features and improvements
Reactor Corev3.8.4by @chemicL in53e8319, see release notesDefaultChannelIdgeneration forDisposedChannelby @violetagg in #4095maxConcurrentStreamsupdate viaSETTINGSframe handler by [@violetagg](https://redirect.github.com/violetConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.