The reason that this principle is being mentioned here is because a number of methods in the core classes in Spring Web MVC are marked final. This means of course that you as a developer cannot override these methods to supply your own behavior... this is by design and has not been done arbitrarily to annoy.
Marked 2.5.13
Updates are an easy update to the next maintenance release and are backwards compatible, eg version 2.5.13 to version 2.5.14 or the version 1.7.x to 2.5.28. For Joomla CMS 3, these updates span all minor and maintenance releases. Some examples are version 3.1.2 to 3.3.6 and 3.3.1 to 3.3.6. Please see the specific pages to review version from and to.
CVE-2012-5784 (MEDIUM) - Apache Web Services Axis 1.4CVE-2014-3596 (MEDIUM) - Apache Web Services Axis 1.4CVE-2018-8032 (MEDIUM) - Apache Web Services Axis 1.4CVE-2019-0227 (MEDIUM) - Apache Web Services Axis 1.4CVE-2017-8046 (HIGH) - Spring Boot 1.4.2CVE-2016-5007, CVE-2018-1258 (MEDIUM) - spring-framework 3.2.18.RELEASECVE-2019-3778 (MEDIUM) - spring-security-oauth2-2.0.16.RELEASE.jarCVE-2018-10237 (MEDIUM - agent jars) - Guava CVE-2020-8908 (BDSA-2020-3736) (LOW - agent jars) - Guava CVE-2018-1313 (BDSA-2018-1426) (MEDIUM - agent jars) - Apache DerbyCVE-2018-11771 (MEDIUM - agent jars) - commons-compressCVE-2020-1938 (CRITICAL) - cpe:2.3:a:apache:tomcat (aka Ghostcat)CVE-2021-30639 (HIGH) - Tomcat librariesCVE-2021-30640 (MEDIUM) - Tomcat librariesCVE-2021-41079 (HIGH) - Tomcat librariesCVE-2014-0114 (HIGH) (struts ActionForm object) Apache Struts 1.x-1.3.10, 2.x-2.3.16.2CVE-2019-10086 (HIGH) - org.apache.commons_beanutils-1.9.3.jarCVE-2014-1904 (MEDIUM) (Formtag) Spring Framework 3.0.0-3.2.8, 4.0.0-4.0.2CVE-2014-0054 (MEDIUM) (Jaxb2RootElementHttpMessageConverter) Spring 3.0.0-3.2.7, 4.0.0-4.0.1CVE-2015-3192 (MEDIUM) (XML bomb) Spring Framework 3.x-3.2.1, 4.x - 4.1.7CVE-2018-1270 (CRITICAL) (Stomp message protocol) Spring Framework 5.0 to 5.0.4, 4.3-4.3.15 CVE-2018-1275 (CRITICAL) (Stomp message protocol) All the SameCVE-2013-6429 (MEDIUM) (SourceHttpMessageConverter) Spring MVC 3.x-3.2.8, 4.x-4.0.2CVE-2018-1272 (MEDIUM) (Multipart Requests) Spring Framework 5.0 - 5.0.4, 4.3-4.3.14SPR-7779 (LocaleChangeInterceptor) Spring Framework 3.x-3.0.6CVE-2019-10086 (HIGH) (BeanIntrospector) Apache Commons Beanutils 1.9.2CVE-2014-0225 (HIGH) Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, XXE attackCVE-2014-3578 (MEDIUM) Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5CVE-2017-5638 (CRITICAL) Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1CVE-2017-5638 (HIGH) Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13CVE-2020-27216 (HIGH) - Jetty Temp FilesCVE-2019-11358 (MEDIUM) - docker-utility-2.0.25.jar: jquery-3.1.1.min.jsCVE-2020-11022 (MEDIUM) - docker-utility-2.0.25.jar: jquery-3.1.1.min.jsCVE-2020-11023 (MEDIUM) - docker-utility-2.0.25.jar: jquery-3.1.1.min.jsCVE-2017-12629 (CRITICAL) - Apache Lucene 4.7.2CVE-2017-9096 (HIGH) - iText 1.3.1, 2.1.3, 2.0.7CVE-2021-43113 (CRITICAL) - iText command injection via a CompareTool filenameCVE-2017-16853 (HIGH) - OpenSAML before 2.6.1CVE-2021-41616 (CRITICAL) - Apache HiveCVE-2017-5645, CVE-2019-17571, CVE-2021-4104, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 (CRITICAL, HIGH, LOW) - custom log4j 1.x in APM agentsCVE-2022-23307, CVE-2020-9488 (CRITICAL) - Apache Log4j 1.2.xCVE-2022-23302 (HIGH) - Apache Log4j 1.xCVE-2022-23305 (CRITICAL) - Apache Log4j 1.2.xCVE-2021-4104 (HIGH) - Apache Log4j 1.2.xCVE-2019-17571 (CRITICAL) - Apache Log4j 1.2 up to 1.2.17CVE-2017-5645 (CRITICAL) - Apache Log4j 2.x before 2.8.2CVE-2021-43557 (HIGH) - Apache HiveCVE-2021-45232, CVE-2022-24112 (CRITICAL) - Apache HiveCVE-2022-22965 (CRITICAL) - Spring Framework RCE via Data Binding on JDK 9+CVE-2022-24197 (MEDIUM) - iText v7.1.17CVE-2022-21449 (HIGH) - Oracle Java - Improper ECDSA signature verificationCVE-2016-1000027 (CRITICAL) - Spring Framework - HTTP invokerCVE-2022-25757, CVE-2022-29266 (HIGH, CRITICAL) - Apache HiveCVE-2022-34169 (CRITICAL) - Apache Xalan Java XSLT libraryCVE-2022-42889 (CRITICAL) - Apache Commons Text (
This vulnerability exposes a risk of unzipping thirdparty products. Usage of commons-compress in Agent code only unzips archives that are part of our product. We do not unzip any archives that are received from outside sources. So this vulnerability does not apply to Agent and can be marked as a false positive.
CVE-2017-5638 (HIGH) Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13Vulnerability Description: The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to Remote Code Execution when deserializing XML payloads.
The functions of G-protein-coupled receptors (GPCRs) are primarily mediated and modulated by three families of proteins: the heterotrimeric G proteins, the G-protein-coupled receptor kinases (GRKs) and the arrestins. G proteins mediate activation of second-messenger-generating enzymes and other effectors, GRKs phosphorylate activated receptors, and arrestins subsequently bind phosphorylated receptors and cause receptor desensitization. Arrestins activated by interaction with phosphorylated receptors can also mediate G-protein-independent signalling by serving as adaptors to link receptors to numerous signalling pathways. Despite their central role in regulation and signalling of GPCRs, a structural understanding of β-arrestin activation and interaction with GPCRs is still lacking. Here we report the crystal structure of β-arrestin-1 (also called arrestin-2) in complex with a fully phosphorylated 29-amino-acid carboxy-terminal peptide derived from the human V2 vasopressin receptor (V2Rpp). This peptide has previously been shown to functionally and conformationally activate β-arrestin-1 (ref. 5). To capture this active conformation, we used a conformationally selective synthetic antibody fragment (Fab30) that recognizes the phosphopeptide-activated state of β-arrestin-1. The structure of the β-arrestin-1-V2Rpp-Fab30 complex shows marked conformational differences in β-arrestin-1 compared to its inactive conformation. These include rotation of the amino- and carboxy-terminal domains relative to each other, and a major reorientation of the 'lariat loop' implicated in maintaining the inactive state of β-arrestin-1. These results reveal, at high resolution, a receptor-interacting interface on β-arrestin, and they indicate a potentially general molecular mechanism for activation of these multifunctional signalling and regulatory proteins. 2ff7e9595c
Commenti