Several CVEs through dependency on outdated WSS4J DOM WS Security
snv opened this issue · 1 comments
snv commented
Even after upgrading to the recent 3.2.0 Spring Boot release i still get a critical vulnerability alert, because spring-ws-security still (transitively) pulls in a flagged versions.
[INFO] --- dependency:3.6.1:tree (default-cli) @ server ---
[INFO] [My Project]
[INFO] +- org.springframework.ws:spring-ws-security:jar:4.0.8:compile
[INFO] | \- org.apache.wss4j:wss4j-ws-security-dom:jar:2.4.1:compile
[INFO] | \- org.apache.wss4j:wss4j-ws-security-common:jar:2.4.1:compile
[INFO] | \- org.opensaml:opensaml-saml-impl:jar:3.4.6:compile
[INFO] | \- org.opensaml:opensaml-security-impl:jar:3.4.6:compile
[INFO] | \- org.opensaml:opensaml-security-api:jar:3.4.6:compile
[INFO] | \- org.bouncycastle:bcprov-jdk15on:jar:1.59:compile
[INFO] \- org.springframework.security:spring-security-rsa:jar:1.1.1:compile
[INFO] \- org.bouncycastle:bcprov-jdk18on:jar:1.74:compile
This pulls in several CVEs.
For example, directly in org.apache.wss4j:wss4j-ws-security-dom:jar:2.4.1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33201
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169
And the critically scored one from BouncyCastle:
cachescrubber commented
See also #1358. Obviously, if time passes, it doesn't get any better.