From c1f557188b845467d78bf3caf4c5b314f04f7650 Mon Sep 17 00:00:00 2001
From: Jakub Kochman <jakub.kochman@hyland.com>
Date: Mon, 30 Jun 2025 12:41:25 +0200
Subject: [PATCH 1/2] PRODSEC-10332 updated fileupload2 to address
 CVE-2025-48976

---
 pom.xml                                                       | 4 ++--
 spring-webscripts/spring-webscripts/pom.xml                   | 2 +-
 .../extensions/webscripts/servlet/FormData.java               | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index a4dae1d..dc743b8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -74,8 +74,8 @@
         </dependency>
         <dependency>
            <groupId>org.apache.commons</groupId>
-           <artifactId>commons-fileupload2-jakarta</artifactId>
-           <version>2.0.0-M1</version>
+           <artifactId>commons-fileupload2-jakarta-servlet6</artifactId>
+           <version>2.0.0-M4</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
diff --git a/spring-webscripts/spring-webscripts/pom.xml b/spring-webscripts/spring-webscripts/pom.xml
index 89f9c76..792166a 100644
--- a/spring-webscripts/spring-webscripts/pom.xml
+++ b/spring-webscripts/spring-webscripts/pom.xml
@@ -32,7 +32,7 @@
 
       <dependency>
          <groupId>org.apache.commons</groupId>
-         <artifactId>commons-fileupload2-jakarta</artifactId>
+         <artifactId>commons-fileupload2-jakarta-servlet6</artifactId>
       </dependency>
 
       <dependency>
diff --git a/spring-webscripts/spring-webscripts/src/main/java/org/springframework/extensions/webscripts/servlet/FormData.java b/spring-webscripts/spring-webscripts/src/main/java/org/springframework/extensions/webscripts/servlet/FormData.java
index 786d9ee..79abb1f 100644
--- a/spring-webscripts/spring-webscripts/src/main/java/org/springframework/extensions/webscripts/servlet/FormData.java
+++ b/spring-webscripts/spring-webscripts/src/main/java/org/springframework/extensions/webscripts/servlet/FormData.java
@@ -31,8 +31,8 @@
 import org.apache.commons.fileupload2.core.FileItem;
 import org.apache.commons.fileupload2.core.FileItemFactory;
 import org.apache.commons.fileupload2.core.FileUploadException;
-import org.apache.commons.fileupload2.jakarta.JakartaFileCleaner;
-import org.apache.commons.fileupload2.jakarta.JakartaServletFileUpload;
+import org.apache.commons.fileupload2.jakarta.servlet6.JakartaFileCleaner;
+import org.apache.commons.fileupload2.jakarta.servlet6.JakartaServletFileUpload;
 import org.apache.commons.io.FileCleaningTracker;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.logging.Log;

From f2b817ae3e704b3006660fa96b49adde21ea0758 Mon Sep 17 00:00:00 2001
From: Jakub Kochman <jakub.kochman@hyland.com>
Date: Mon, 30 Jun 2025 13:03:43 +0200
Subject: [PATCH 2/2] PRODSEC-10332 fixed other vulnerabilities to pass the
 veracode scan plugin

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index dc743b8..5b67f29 100644
--- a/pom.xml
+++ b/pom.xml
@@ -70,7 +70,7 @@
         <dependency>
             <groupId>commons-beanutils</groupId>
             <artifactId>commons-beanutils</artifactId>
-            <version>1.9.4</version>
+            <version>1.11.0</version>
         </dependency>
         <dependency>
            <groupId>org.apache.commons</groupId>
@@ -121,7 +121,7 @@
   </dependencyManagement>
 
    <properties>
-      <spring.version>6.2.0</spring.version>
+      <spring.version>6.2.8</spring.version>
       <java.version>17</java.version>
       <maven.build.sourceVersion>${java.version}</maven.build.sourceVersion>
       <maven.compiler.source>${java.version}</maven.compiler.source>