MyBatis-Plus 大佬们请看一下当3.4.2版本是否存在Spring框架曝出0day漏洞的情况

当前使用版本(必填,否则不予处理)

v3.4.2

该问题是如何引起的？(确定最新版也有问题再提!!!)

Spring 框架以及衍生的框架可能会存在0day漏洞，详细情况如下： https://www.obatis.com/article/1648606963311

Mybatis-plus的组件[mybatis-plus-boot-starter-test 3.4.2]的依赖组件[spring-tx 5.2.8.RELEASE]的依赖组件为[spring-beans 5.2.8.RELEASE]。同时[spring-boot-starter-jdbc 2.3.2.RELEASE]的依赖组件[spring-jdbc 5.2.8.RELEASE]的依赖组件也为[spring-beans 5.2.8.RELEASE]。可能会存在0day漏洞。

大佬们请帮忙界定一下是否存在该问题。感谢。

========================================================

3.3.1版本也发现[mybatis-plus-dts 3.3.1]和[mybatis-plus-boot-starter 3.3.1]的依赖组件[spring-boot-autoconfigure 2.2.2.RELEASE]的下层依赖里面有[spring-beans 5.2.2.RELEASE] MyBatis-Plus 大佬们请看一下当3.4.2版本是否存在Spring框架曝出0day漏洞的情况

重现步骤(如果有就写完整)

报错信息

Comment From: linghengqian

I have to point out that this is actually a code specification issue, just the possibility of RCE using deprecated methods, and Spring does not consider this a vulnerability.

Comment From: miemieYaho

mp没有定死spring的版本

Comment From: Fengwenww

但是这个漏洞似乎目前是不区分spring的版本的

Comment From: linghengqian

但是这个漏洞似乎目前是不区分spring的版本的

Again, Spring does not consider this a bug, it is a code specification issue, and they simply discourage adoption of deprecated methods.

Comment From: Fengwenww

但是这个漏洞似乎目前是不区分spring的版本的

Again, Spring does not consider this a bug, it is a code specification issue, and they simply discourage adoption of deprecated methods.

https://github.com/advisories/GHSA-36p3-wjmg-h94x 这里有说明受影响的版本号，似乎是有受影响的唉。

Comment From: linghengqian

但是这个漏洞似乎目前是不区分spring的版本的

Again, Spring does not consider this a bug, it is a code specification issue, and they simply discourage adoption of deprecated methods.

https://github.com/advisories/GHSA-36p3-wjmg-h94x 这里有说明受影响的版本号，似乎是有受影响的唉。

Mybatis plus do not rely on the spring, refer to https://mvnrepository.com/artifact/com.baomidou/mybatis-plus/3.5.1 .

Comment From: Fengwenww

但是这个漏洞似乎目前是不区分spring的版本的

Again, Spring does not consider this a bug, it is a code specification issue, and they simply discourage adoption of deprecated methods.

GHSA-36p3-wjmg-h94x 这里有说明受影响的版本号，似乎是有受影响的唉。

Mybatis plus do not rely on the spring, refer to https://mvnrepository.com/artifact/com.baomidou/mybatis-plus/3.5.1 .

Take version 3.4.2 as an example. The dependency component [spring-tx 5.2.8.RELEASE] of the mybatis plus component [mybatis-plus-boot-starter-test 3.4.2] is [spring-beans 5.2.8.RELEASE]. The dependent component [spring-jdbc 5.2.8.RELEASE] of the [spring-boot-starter-jdbc 2.3.2.RELEASE] is also [spring-beans 5.2.8.RELEASE]. The component is dependent.