Spring Boot 3.3.5 fixing tomcat request/response mixup between users

Description

Upgrade Spring Boot from 3.3.4 to 3.3.5.

This indirectly upgrades tomcat-embed-core from 10.1.30 to 10.1.31 fixing https://nvd.nist.gov/vuln/detail/CVE-2024-52317

The fix has been merged to master branch: https://github.com/folio-org/mod-roles-keycloak/pull/170/files

We need a back-port to Ramsons branch b2.0 and a Ramsons bug fix release.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

defines

UXPROD-4846

Component Ownership Phase 6

implements

SECURITY-244

CVE-2024-52317 - tomcat-embed-core mix-up - Analysis of vulnerability - Ramsons bugfix

Checklist

hide

Activity

Show:

Done

Details

Assignee

Julian Ladisch

Reporter

Julian Ladisch

Labels

back-endepam-eurekanon-testablesecurity

Priority

Story Points

Sprint

None

Development Team

Eureka

Fix versions

2.0.9

Release

Ramsons (R2 2024) Bug Fix

RCA Group

Related dependency upgrade

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created December 17, 2024 at 9:37 PM

Updated January 2, 2025 at 3:25 PM

Resolved January 2, 2025 at 3:20 PM

Configure

TestRail: Cases

TestRail: Runs