Release Notes / Version 12.2401
Table Of ContentsHandle CVEs for graphql-spring-boot-autoconfigure-15.0.0.jar: subscriptions-transport-ws-browser-client.js
Lodash is directly included in the affected file
subscriptions-transport-ws-browser-client.js
, which
in turn is part of the included graphiql version. Unfortunately the
project has been archived and there will be no updates anymore. Since
graphiql is a pure developer tool and only enabled in preview mode,
the reported security risk is considered only moderate to low, thus
CVE-2019-10744,
CVE-2020-8203,
CVE-2021-23337,
CVE-2018-3721, CVE-2019-1010266, CVE-2018-16487, CVE-2020-28500 were
suppressed.
The whole library will be replaced with CM12 version 2404 by the latest version of Spring-GraphQL, which is much better supported as a part of the Spring project and also includes a maintained and updated version of graphiql.
(CMS-24020)
Prevent exceptions when logging resource paths
Logging resource paths with
org.springframework.core.io.Resource#getURI
can
fail on Windows development environments in some cases. To prevent
such exceptions, log statements have been changed to just use the
implicit toString()
.
(CMS-23900)
HeadlessServer: More tolerant request handling for invalid hashes on MediaController
Previously the validation on the MediaController denied requests with wrong or outdated hashes. HeadlessServer now accepts requests with wrong or outdates hashes as long as the rest of the url parameters are conclusive (id, crop name, filename, width). If this is the case HeadlessServer now responds with a HTTP 301 / Moved Permanently to the correct URL of the corresponding media, instead of a HTTP 401 / Not Found.
(CMS-23595)