Skip to content

Remediate high-severity CVEs: Spring Boot 3.5.12 + Log4j 2.25.3#18

Merged
brunoborges merged 2 commits into
mainfrom
copilot/fix-high-severity-vulnerabilities-again
Apr 24, 2026
Merged

Remediate high-severity CVEs: Spring Boot 3.5.12 + Log4j 2.25.3#18
brunoborges merged 2 commits into
mainfrom
copilot/fix-high-severity-vulnerabilities-again

Conversation

Copilot AI commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

Security scan flagged two vulnerabilities in Java dependencies, one of which (CVE-2026-22731, CVSS 8.1) was breaking the CI security gate.

Changes

  • CVE-2026-22731 (CVSS 8.1) — Spring Boot auth bypass under Actuator Health group paths; bump spring.boot.version 3.5.53.5.12
  • CVE-2025-68161 — Log4j TLS hostname verification failure in Socket Appender; Spring Boot 3.5.12 still pins log4j2 at 2.24.3, so an explicit override is required:
<properties>
    <spring.boot.version>3.5.12</spring.boot.version>
    <log4j2.version>2.25.3</log4j2.version>
</properties>

<dependencyManagement>
    <!-- Declared before Spring Boot BOM import so explicit versions win -->
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
        <artifactId>log4j-api</artifactId>
        <version>${log4j2.version}</version>
    </dependency>
    <!-- log4j-core, log4j-to-slf4j same pattern -->
    ...
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-dependencies</artifactId>
        <version>${spring.boot.version}</version>
        <type>pom</type>
        <scope>import</scope>
    </dependency>
</dependencyManagement>

All changes are in the root pom.xml; no production logic touched.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • archive.apache.org
    • Triggering command: /usr/bin/curl curl -sSL REDACTED -o /tmp/maven4.tar.gz (dns block)
  • dlcdn.apache.org
    • Triggering command: /usr/bin/wget wget --quiet REDACTED -O /tmp/tmp.XUnsDUv8Cq/apache-maven-4.0.0-rc-5-bin.zip (dns block)
  • downloads.apache.org
    • Triggering command: /usr/bin/wget wget -q REDACTED -O maven4.tar.gz (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

…and log4j to 2.25.3

Agent-Logs-Url: https://github.com/brunoborges/jlib-inspector/sessions/af5640df-3585-4b70-93fa-9bcda15ad07a

Co-authored-by: brunoborges <129743+brunoborges@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix high severity vulnerabilities detected in dependencies Remediate high-severity CVEs: Spring Boot 3.5.12 + Log4j 2.25.3 Apr 23, 2026
Copilot AI requested a review from brunoborges April 23, 2026 21:00
@brunoborges brunoborges marked this pull request as ready for review April 24, 2026 14:08
@brunoborges brunoborges merged commit 370dd68 into main Apr 24, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

🚨 High Severity Vulnerabilities Detected - 2026-04-17

2 participants