bump: Azure Core Lib 2.0.6

Daniel Scholl (MS]requested to merge
dependabot-bumps into master

Summary

This merge request updates the Azure Core Lib version from 2.0.4 to 2.0.6

Changes

  • Updated org.springframework.security:spring-security-core from 6.4.2 to 6.4.3
  • Updated org.springframework.security:spring-security-crypto from 6.4.2 to 6.4.3

Security Impact

This update resolves the following security issues:

Critical Vulnerabilities Fixed (1)

  • CVE-2025-24813: Fixed potential RCE and/or information disclosure in Tomcat embed core

Medium Vulnerabilities Fixed (1)

  • CVE-2025-25193: Fixed Denial of Service vulnerability in Netty Common

Remaining Vulnerabilities

  • CVE-2025-22223 (MEDIUM): Authorization bypass via incorrectly locating method security annotations (still present in 6.4.3, requires 6.4.4 to fix)
  • CVE-2025-22228 (HIGH): BCryptPasswordEncoder not enforcing maximum password length (still present in 6.4.3, requires 6.4.4 to fix)

Notes

While this update makes significant security improvements, two vulnerabilities remain that will require upgrading to version 6.4.4 in a future update. Those vulnerabilities are tracked and will be addressed in a separate MR.

Testing

Standard regression tests were run and passed after the dependency update.

Risk Assessment

This is a low-risk change as it only updates dependency versions to address security vulnerabilities without introducing new functionality or API changes.

Merge request reports