Affects: \

I am trying to use spring framework 5.3.27 with spring boot, but due to vulnerability of spring-web 5.3.27, i updated version to non vulnerable version spring-web 6.0.0. Due to this there is a compatibility issue.

Cannot use spring framework version 6.0.0 due to library modifications. Please advice

I get below error

an attempt was made to call a method that does not exist. The attempt was made from the following location:

org.springframework.cloud.config.client.ConfigServicePropertySourceLocator.getRemoteEnvironment(ConfigServicePropertySourceLocator.java:272)

The following method did not exist:

'org.springframework.http.HttpStatus org.springframework.http.ResponseEntity.getStatusCode()'

The calling method's class, org.springframework.cloud.config.client.ConfigServicePropertySourceLocator, was loaded from the following location:

jar:file:/.m2/repository/org/springframework/cloud/spring-cloud-config-client/3.1.5/spring-cloud-config-client-3.1.5.jar!/org/springframework/cloud/config/client/ConfigServicePropertySourceLocator.class

The called method's class, org.springframework.http.ResponseEntity, is available from the following locations:

jar:file:.m2/repository/org/springframework/spring-web/6.0.0/spring-web-6.0.0.jar!/org/springframework/http/ResponseEntity.class

The called method's class hierarchy was loaded from the following locations:

org.springframework.http.ResponseEntity: file:/.m2/repository/org/springframework/spring-web/6.0.0/spring-web-6.0.0.jar
org.springframework.http.HttpEntity: file:/.m2/repository/org/springframework/spring-web/6.0.0/spring-web-6.0.0.jar

Action:

Correct the classpath of your application so that it contains compatible versions of the classes org.springframework.cloud.config.client.ConfigServicePropertySourceLocator and org.springframework.http.ResponseEntity

Comment From: mdeinum

You shouldn't mix jars from different version of a framework, regardless of the framework. Either upgrade all dependencies (which means also upgrading Spring Boot) or investigate if you really are vulnerable (which I doubt).

Comment From: bclozel

There is no known vulnerability in Spring Framework 5.3.x right now. If you are referring to CVE-2016-1000027, please read the following comment.

As mentioned by @mdeinum, please upgrade to compatible versions - the Spring Framework version will be managed by Spring Boot directly: * Spring Boot 3.x * a compatible Spring Cloud version (see the table here)

Mixing incompatible versions is not supported by the team, I'm closing this issue as a result.

Comment From: davidmichaelkarr

@mdeinum , your statement about mixing versions is something I completely agree with. However, I sometimes have to justify brain-dead common sense to other people who want official statements of compatibility. Even Google AI concludes that you can't use a newer version of spring-web with spring-context (for example), but I'm having trouble finding a statement on the spring framework web site that says this explicitly. Do you know where I might find that? I'm afraid I can't just say "Martin said so". :)