66011 – jmeter ships with a vulnerable version of spring

Bug 66011 - jmeter ships with a vulnerable version of spring

Summary: jmeter ships with a vulnerable version of spring

Status:	NEEDINFO

Alias:	None

Product:	JMeter - Now in Github
Classification:	Unclassified
Component:	Main (show other bugs)
Version:	5.4.3
Hardware:	All All

Importance:	P2 major (vote)
Target Milestone:	JMETER_5.5
Assignee:	JMeter issues mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-04-12 15:59 UTC by Ren
Modified:	2022-04-12 16:59 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ren 2022-04-12 15:59:56 UTC

jmeter references a vulnerable version of the sprint framework. My customer blocks access to all vulnerable versions of spring thus making it imposible for me to run jmeter from within the jmeter-maven-plugin (which downloads all jmeter dependencies automagically). 
When will there be a release using a safe version of spring framework (>= 5.3.18)

Regards
René

Comment 1 Felix Schumacher 2022-04-12 16:59:17 UTC

JMeter itself does not need Spring and is not bundled with it.

It is probably a dependency from ActiveMQ (which we include for testing JMS). If you are on Java 9+ you can replace the bad jars following the documentation of the jmeter maven plugins site: https://github.com/jmeter-maven-plugin/jmeter-maven-plugin/wiki/Adding-Excluding-libraries-to-from-the-classpath

Questions on the usage of jmeter maven plugin, are better asked on their forums.

Comment 2 The ASF infrastructure team 2022-09-24 20:38:23 UTC

This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/5659