close

Mark Paluch

Mark Paluch

Spring Data Project Lead

Weinheim, Germany

Mark is Software Craftsman, Spring Data Project Lead at Pivotal, and Lead of the Lettuce Redis driver. His focus is now on reactive data integrations and R2DBC.
Blog Posts by Mark Paluch

Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980)

Updates

  • [06-20] CVE-2022-22980 is published
  • [06-20] Spring Data MongoDB 3.4.1 and 3.3.5 are available

Table of Contents

Overview

We would like to announce that we have released Spring Data MongoDB 3.4.1 and 3.3.5 to address the following CVE report:

This vulnerability was responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab on Monday, June 13 2022. The full report will be published to MITRE and as security advisory under tanzu.vmware.com/security in the upcoming days.

Read more...

Spring Data 2021.2.1 and 2021.1.5 released

On behalf of the team, I’m pleased to announce Spring Data service releases 2021.2.1 and 2021.1.5.
Both releases ship with a fix for mostly bug fixes and dependency upgrades.
For your convenience, Spring Boot 2.7.1 respective 2.6.9 are going to pick up these releases in the upcoming days.

In addition, these releases include fixes for one vulnerability:

  • CVE-2022-22980
    “Spring Data MongoDB SpEL Expression Injection Vulnerability”
    SpEL injection attack in MongoDB applications through repository query methods annotated with @Query or @Aggregation using parametrized SpEL statements with non-sanitized input.
    Severity: High
Read more...

Spring Vault 2.4.0-M1 and 3.0.0-M1 available

On behalf of the team and everyone who has contributed, I’m happy to announce that Spring Vault 2.4.0-M1 and 3.0.0-M1 milestones have been released and are now available from repo.spring.io.

Notable new features include:

  • Support for PEM-encoded certificates and private keys including Elliptic Curve ("EC")

  • Support for Vault Repositories using versioned Key/Value secrets engines

  • Support for Vault-based RevisionRepository using versioned Key/Value secrets engines

Please see the release notes for more details and upgrade instructions.

Read more...

Spring Data 2021.2.0-M3, 2021.1.2, and 2021.0.9 released

On behalf of the team, I’m pleased to announce Spring Data service releases 2021.1.2 and 2020.0.9.
Both releases ship with mostly bug fixes and dependency upgrades.
For your convenience, Spring Boot 2.6.4 respective 2.5.10 are going to pick up these releases in the upcoming days.

Along with the service releases, we released the next milestone 2021.2.0-M3 of the 2021.2 release train. We have summarized the new and noteworthy changes in our release notes.

To round things off, here are the links to the individual modules, changelogs, and documentation:

Read more...

First Spring Data 2022.0.0 and 2021.2.0 milestones released

On behalf of the team and everyone who contributed, I’m pleased to announce the availability of the first round of milestones of the Spring Data 2022.0 and 2021.2 release trains.

2021.x vs. 2022.x

You might now ask why is there a new release in the calver 2021.x version and why is there already a 2022.x release?

In parallel to working on Spring Data 3.x, aka 2022.0.0, we continue to invest in the support of the Spring Data 2.x development line. We already expect Spring Data 2.7 and 2.8 releases. So, if you want to continue using Spring Boot 2 for an extended period of time, stick to the 2021.x release trains (which are based on Spring Framework 5.3 and Java 8). That’s the reason we chose to continue with calver 2021.x, which, hopefully, makes understanding version compatibilities easier.
Our Spring Data 3.x development line will be based on Java 17 and Spring Framework 6 and be compatible with Spring Boot 3.

Read more...

Spring Data 2021.1 enters RC phase

Dear Spring community,

On behalf of the Spring Data team and everyone who contributed, it is my pleasure to announce that Spring Data 2021.1.0 has entered its release candidate phase by releasing RC1 today. It is available from the milestone repository. This release ships with several tickets fixed. The most notable changes are:

  • Deprecate support for RxJava 2 in preparation for removal of RxJava 2 support with Spring Data 3.0.
  • Fluent Query API for Querydsl and Query-by-Example, allowing for projections, pagination, and consuming results as a Stream.
  • Spring Data JDBC ships with a refined SQL DSL, accepting complex JOIN conditions and subselects.
  • Support for exists and not empty keywords in Elasticsearch repository query methods and support for field exclusion in source.
  • Improve mapping performance for custom queries and paths in Neo4j and support for ReactiveQuerydslPredicateExecutor.
Read more...

Spring Data 2021.0.6 and 2020.0.14 released

On behalf of the team, I’m pleased to announce the availability of the Spring Data 2021.0.6 and 2020.0.14 service releases.

Both releases are built on top of Spring Framework 5.3.11. For your convenience, you can consume Spring Data 2021.0.6 and 2020.0.14 through the upcoming Spring Boot releases 2.5.6 and 2.4.12, respectively.

Both service releases ship with mostly bug fixes and dependency upgrades.

To round things off, here are the links to the artifacts, changelogs, and documentation:

2021.0.6

Read more...

Spring Data 2021.0.5 and 2020.0.13 released

On behalf of the team, I’m pleased to announce the availability of the Spring Data 2021.0.5 and 2020.0.13 service releases.

Both releases are built on top of Spring Framework 5.3.10. For your convenience, you can consume Spring Data 2021.0.5 and 2020.0.13 through the upcoming Spring Boot releases 2.5.5 and 2.4.11, respectively.

Both service releases ship with mostly bug fixes and dependency upgrades.

To round things off, here are the links to the artifacts, changelogs, and documentation:

2021.0.5

Read more...

Spring Data 2021.1.0-M3 released

On behalf of the team, I’m delighted to announce the availability of the third Spring Data 2021.1.0 milestone. This release is the last milestone before entering the RC phase on mid October. This release ships besides numerous bugfixes and dependency upgrades a series of notable enhancements:

General

  • Support jMolecules’ @Identity as ID annotation
  • Publish delete events by repository methods deleteInBatch and deleteAllInBatch methods

MongoDB

  • Support for MongoDB 5.0 aggregation stages and operators including $setWindowFields for aggregations using time-series.
  • Configuration options for MongoDB’s versioned Server API.
  • Schema derivation for encrypted fields.
Read more...

Spring Data 2021.0.2 and 2020.0.10 released

On behalf of the team, I’m pleased to announce the availability of the Spring Data service 2021.0.2 and 2020.0.10 releases.

Both releases are built on top of Spring Framework 5.3.8. For your convenience, you can consumer these releases through Spring Boot 2.5.2 and 2.4.8, respectively.

The service releases ship with mostly bug fixes and dependency upgrades.

To round things off, here are the links to the artifacts, changelogs, and documentation:

2021.0.2

Read more...