close

Spring Cloud OpenFeign versions 2.2.10.RELEASE, 3.0.5 and 3.1.0-M4 are now available

On behalf of the community, I am pleased to announce that Spring Cloud OpenFeign versions 2.2.10.RELEASE, 3.0.5 and 3.1.0-M4 have been released.

These are primarily security releases with fixes for the CVE-2021-22044.

Applications using type-level @RequestMappingannotations over Feign client interfaces, can be involuntarily exposing endpoints corresponding to @RequestMapping-annotated interface methods. Although a response is not returned for a request sent in this way, it does reach the corresponding server-side endpoint.

The practice of using a type-level @RequestMapping on a Feign client interface has been discouraged in the documentation, but we’re now taking the step to reject it completely.

These versions will be picked up later by the 2020.0.x and 2021.0.x release trains, however, we recommend you already upgrade Spring Cloud OpenFeign in your projects to these most recent versions.

See all issues included in 2.2.10.RELEASE here
See all issues included in 3.1.0-M4 here
No additional issues were included for 3.0.5.

comments powered by Disqus