spring-data-dynamodb - Spring4Shell: Zero-Day Vulnerability in Spring Framework (CVE-2022-22965)

[nanandmca]

Expected Behavior

New version of Spring Framework which have fix for CVE-2022-22965
Spring Boot compatibility for 2.5.12
Spring Framework for 5.3.18

Actual Behavior

Not supporting new version of Spring Boot and Spring Framework

Steps to Reproduce the Problem

1. Change the version of Spring Boot to 2.5.12
2. Change the version of Spring Framework to 5.3.18

Specifications

• Spring Data DynamoDB Version:
• Spring Data Version:
• AWS SDK Version:
• Java Version:
• Platform Details:

All those information are logged by org.socialsignin.spring.data.dynamodb.repository.support.DynamoDBRepositoryFactory on INFO level on startup.
Or use java -version and mvn dependency:tree | grep -E 'spring|aws' to provide those version numbers.

[nanandmca]

ReflectionEntityInformation is deprecated in new Spring version.. Below is compilation error

[ERROR] /C:/MyFiles/MyWork/build-issue/spring-data-dynamodb/src/main/java/org/socialsignin/spring/data/dynamodb/repository/support/DynamoDBIdIsHashAndRangeKeyEntityInformationImpl.java:[21,56] cannot find symbol
[ERROR] symbol: class ReflectionEntityInformation
[ERROR] location: package org.springframework.data.repository.core.support
[ERROR] /C:/MyFiles/MyWork/build-issue/spring-data-dynamodb/src/main/java/org/socialsignin/spring/data/dynamodb/repository/support/DynamoDBIdIsHashAndRangeKeyEntityInformationImpl.java:[37,78] cannot find symbol
[ERROR] symbol: class ReflectionEntityInformation
[ERROR] /C:/MyFiles/MyWork/build-issue/spring-data-dynamodb/src/main/java/org/socialsignin/spring/data/dynamodb/repository/support/SimpleDynamoDBCrudRepository.java:[47,8] org.socialsignin.spring.data.dynamodb.repository.support.SimpleDynamoDBCrudRepository is not abstract and does not override abstract method deleteAllById(java.lang.Iterable<? extends ID>) in org.springframework.data.repository.CrudRepository
[ERROR] /C:/MyFiles/MyWork/build-issue/spring-data-dynamodb/src/main/java/org/socialsignin/spring/data/dynamodb/repository/support/SimpleDynamoDBPagingAndSortingRepository.java:[56,8] org.socialsignin.spring.data.dynamodb.repository.support.SimpleDynamoDBPagingAndSortingRepository is not abstract and does not override abstract method deleteAllById(java.lang.Iterable<? extends ID>) in org.springframework.data.repository.CrudRepository
[ERROR] /C:/MyFiles/MyWork/build-issue/spring-data-dynamodb/src/main/java/org/socialsignin/spring/data/dynamodb/repository/support/DynamoDBIdIsHashAndRangeKeyEntityInformationImpl.java:[37,8] org.socialsignin.spring.data.dynamodb.repository.support.DynamoDBIdIsHashAndRangeKeyEntityInformationImpl is not abstract and does not override abstract method getJavaType() in org.springframework.data.repository.core.EntityMetadata
[ERROR] -> [Help 1]

[nanandmca]

#267

Here another repo handle this issue

api group: 'io.github.boostchicken', name: 'spring-data-dynamodb', version: '5.2.0-SNAPSHOT'