Find, fix and prevent vulnerabilities in your code.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

• Apache Pony Mail
• GitHub Commit

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing input size validation when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values, causing the application to exhaust all available resources.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.15.0-rc1 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub PR

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Stack-based Buffer Overflow due to the parse process, which accepts an unlimited input file with deeply nested data. An attacker can cause a stack overflow and crash the application by providing input files with excessively deep nesting.

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.15.0-rc1 or higher.

References

• GitHub Commit
• GitHub PR

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when parsing multipart uploads, which apply the UndertowOptions.MULTIPART_MAX_ENTITY_SIZE option. An attacker can exhaust system memory by submitting large amounts of form data encoded with application/x-www-form-urlencoded.

Remediation

A fix was pushed into the master branch but not yet published.

References

• GitHub PR
• GitHub PR
• GitHub Release
• Jira Issue
• Red Hat Bugzilla Bug
• Red Hat Security Advisory

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling (MadeYouReset) through malformed client requests that trigger repeated server-side stream resets without incrementing abuse counters. An attacker can exhaust server resources by sending specially crafted HTTP/2 requests that cause excessive workload through repeated stream aborts.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade io.undertow:undertow-core to version 2.2.38.Final, 2.3.20.Final or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• Red Hat Bugzilla Bug
• Vulnerability Research

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Denial of Service (DoS) through the wildfly-http-client protocol, due to the WriteTimeoutStreamSinkConduit process. This vulnerability can be exploited by repeatedly opening and closing connections immediately, which triggers memory and file descriptor leaks.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade io.undertow:undertow-core to version 2.2.31.Final, 2.3.12.Final or higher.

References

• GitHub Commit
• GitHub Commit
• Red Hat Bugzilla Bug
• Red Hat Issues

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Uncontrolled Recursion in chunked response handling. An attacker can cause a client to wait indefinitely by sending excessive data without a 0\r\n termination sequence in chunked responses, thereby disrupting service to the server.

Note: This is only exploitable when using NewSessionTicket functionality in TLS 1.3 on Java 17.

Remediation

Upgrade io.undertow:undertow-core to version 2.2.34.Final, 2.3.8.Final or higher.

References

• GitHub Commit
• Red Hat Bugzilla Bug
• Red Hat Security Advisory

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the handling of URL-encoded request path information on ajp-listener. An attacker can cause the server to process incorrect paths, leading to a disruption of service by sending specially crafted concurrent requests.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade io.undertow:undertow-core to version 2.2.33.Final, 2.3.14.Final or higher.

References

• GitHub Commit
• Red Hat Bugzilla Bug

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to insufficient limitations on the amount of CONTINUATION frames that can be sent within a single stream. An attacker can use up compute or memory resources to cause a disruption in service by sending packets to vulnerable servers.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade io.undertow:undertow-core to version 2.2.33.Final, 2.3.14.Final or higher.

References

• Apache Advisory
• Github Commit
• GitHub Commit
• GitHub Commit
• PoC
• RedHat Bugzilla Bug
• Security Notes

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Incorrect Authorization via the AnnotationsScanner and AnnotatedMethod class. An attacker can gain unauthorized access to sensitive information by exploiting improper resolution of annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics.

Note: This is only exploitable if security annotations are used on methods in generic superclasses or generic interfaces and the @EnableMethodSecurity feature is enabled.

Remediation

Upgrade org.springframework:spring-core to version 6.2.11 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Release
• Vendor Advisory

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Path Traversal via the WebMvc.fn and WebFlux.fn frameworks. An attacker can access any file on the file system that is also accessible to the process in which the Spring application is running by crafting malicious HTTP requests.

Note:

This is only exploitable if the web application uses RouterFunctions to serve static resources and resource handling is explicitly configured with a FileSystemResource location.

Workaround

This vulnerability can be mitigated by using the Spring Security HTTP Firewall or running the application on Tomcat or Jetty.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.13 or higher.

References

• GitHub Commit
• Spring Security Advisory
• Nuclei Templates
• PoC in GitHub

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Path Traversal through the functional web frameworks WebMvc.fn or WebFlux.fn. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible.

Note: This is similar to CVE-2024-38816, but with different input.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.14 or higher.

References

• GitHub Commit
• Spring Security Advisory
• PoC in GitHub

Overview

org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.

Affected versions of this package are vulnerable to Relative Path Traversal when deployed on non-compliant Servlet containers. An unauthenticated attacker could gain access to files and directories outside the intended web root.

Notes:

1. This is only exploitable if the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences and the application serves static resources with Spring resource handling.

2. Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.

3. This vulnerability was also fixed in the commercial versions 6.1.22 and 5.3.44.

Remediation

Upgrade org.springframework:spring-beans to version 6.2.10 or higher.

References

• GitHub Commit
• GitHub Release
• Spring Release
• Vendor Advisory

Overview

org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Improper Access Control when the application uses AuthenticatedVoter directly and a null authentication parameter is passed to it. Exploiting this vulnerability resulting in an erroneous true return value.

Note

Users are not affected if:

1. The application does not use AuthenticatedVoter#vote directly.

2. The application does not pass null to AuthenticatedVoter#vote.

Remediation

Upgrade org.springframework.security:spring-security-core to version 5.7.12, 5.8.11, 6.0.10, 6.1.8, 6.2.3 or higher.

References

• GitHub Commit
• GitHub Issue
• Security Advisory

Overview

Affected versions of this package are vulnerable to Access Restriction Bypass due to improper implementation of wildcard pattern matching.

An application is vulnerable when all of the following are true:

1. Users have code that can handle requests matching /cloudfoundryapplication/**. Typically, this will be if there is a catch-all request mapping which matches /**

2. The application is deployed to Cloud Foundry.

Note: Applications using Spring Cloud Config Server can handle requests to /cloudfoundryapplication/** by default and can be vulnerable if deployed to Cloud Foundry.

An application is not vulnerable if any of the following is true:

1. The application is not deployed to Cloud Foundry

2. Users have disabled Cloud Foundry actuator endpoints with management.cloudfoundry.enabled set to false

3. The application does not have handler mappings that can handle requests to /cloudfoundryapplication/**

Workaround

Users who are unable to upgrade to the fixed version can disable Cloud Foundry actuator endpoints by setting management.cloudfoundry.enabled to false.

Remediation

Upgrade org.springframework.boot:spring-boot-actuator-autoconfigure to version 2.5.15, 2.6.15, 2.7.11, 3.0.6 or higher.

References

• Advisory
• GitHub Commit
• GitHub Commit
• GitHub Issue
• GitHub Release

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can disrupt service availability by repeatedly sending AJP requests that exceed the configured max-header-size attribute in ajp-listener, leading to the server closing the TCP connection without returning an AJP response.

Note:

This is only exploitable if the max-header-size is set to 64 KB or less.

Remediation

Upgrade io.undertow:undertow-core to version 2.2.31.Final, 2.3.12.Final or higher.

References

• GitHub Commit
• RedHat Bugzilla Bug

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Improper Certificate Validation via the undertow client which does not check the server identity presented by the server certificate in https connections.

Remediation

Upgrade io.undertow:undertow-core to version 2.2.24.Final, 2.3.5.Final or higher.

References

• GitHub Commit
• GitHub Commit
• RedHat Bugzilla Bug
• RedHat CVE Database
• RedHat Issues
• Vulnerable Code

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Improper Input Validation via the FormAuthenticationMechanism. An attacker can exhaust the server's memory, leading to a Denial of Service by sending crafted requests that cause an OutofMemory error.

Remediation

Upgrade io.undertow:undertow-core to version 2.2.32.Final, 2.3.13.Final or higher.

References

• GitHub Commit
• Vulnerable Code

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Infinite loop due to an unexpected handshake status change in SslConduit. The vulnerability derives from JDK behavior changes, where HandshakeStatus.NEED_WRAP can persist while the status is updated to Status.CLOSED.

Remediation

Upgrade io.undertow:undertow-core to version 2.2.24.Final, 2.3.5.Final or higher.

References

• GitHub Commit
• GitHub Commit
• JDK GitHub Commit
• RedHat Bugzilla Bug
• RedHat Issues
• Vulnerable Code

Overview

io.undertow:undertow-core is a Java web server based on non-blocking IO.

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value due to improper @MultipartConfig annotation handling for very large multipart content.

Note: If the server uses fileSizeThreshold to limit the file size, it's possible to bypass the limit by setting the file name in the request to null.

Remediation

Upgrade io.undertow:undertow-core to version 2.2.27.Final, 2.3.9.Final or higher.

References

• GitHub Commit
• Jira Issue
• RedHat Bugzilla Bug

Overview

org.jboss.xnio:xnio-api is a simplified low-level I/O layer which can be used anywhere you are using NIO.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the NotifierState function that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large, leading to a possible denial of service.

Remediation

Upgrade org.jboss.xnio:xnio-api to version 3.5.10, 3.7.13, 3.8.14 or higher.

References

• GitHub Commit
• RedHat Bugzilla Bug

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) if Spring MVC is used together with a reverse proxy cache.

Specifically, an application is vulnerable if all of the conditions are true:

• The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
• The application uses Spring Boot's welcome page support, either static or templated.
• The application is deployed behind a proxy which caches 404 responses.

The application is NOT vulnerable if any of the following are true:

• Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.
• The application does not use Spring Boot's welcome page support.
• There is no proxy which caches 404 responses.

Workaround

Users who are unable to upgrade should configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.springframework.boot:spring-boot-autoconfigure to version 2.5.15, 2.6.15, 2.7.12, 3.0.7 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Release

Overview

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Improper Authorization due to improper validation in the requestMatchers, leading to authorization rule misconfiguration when the application uses requestMatchers(String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet.

Notes:

An application is only vulnerable when all of the following are true:

1. Spring MVC is on the classpath.

2. Spring Security is securing more than one servlet in a single application (one of them being Spring MVC’s DispatcherServlet).

3. The application uses requestMatchers(String) to refer to endpoints that are not Spring MVC endpoints.

Remediation

Upgrade org.springframework.security:spring-security-config to version 5.8.5, 6.0.5, 6.1.2 or higher.

References

• GitHub Commit
• GitHub Issue
• PoC
• Spring Security Advisory

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.12, 1.4.12 or higher.

References

• Changelog
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.

Note:

Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.14, 1.4.14 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• Release Notes
• Release Notes

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.12, 1.4.12 or higher.

References

• Changelog
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.

Note:

Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.14, 1.4.14 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Commit
• Release Notes
• Release Notes

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.

Remediation

Upgrade org.springframework:spring-web to version 5.3.32, 6.0.17, 6.1.4 or higher.

References

• GitHub Commit
• PoC
• Spring Advisory

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22243, but with different input.

Remediation

Upgrade org.springframework:spring-web to version 5.3.33, 6.0.18, 6.1.5 or higher.

References

• GitHub Commit
• Spring Advisory