SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 135 forks source link

[Vulnerability] org.springframework.security:spring-security-jwt:jar:1.0.9.RELEASE #144

Closed Holdo closed 5 years ago

Holdo commented 5 years ago

Please update version, 1.0.9.RELEASE has vulnerabilities.

https://github.com/SAP/cloud-security-xsuaa-integration/blob/18ffd34e99eadf0535c349a0b6f576eec86a79fe/spring-xsuaa-mock/pom.xml#L64

https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32369 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613

frzme commented 5 years ago

Also - and related - is it nescessary that xsuaa-spring-boot-starter has a transitive dependency to spring-xsuaa-test in scope compile (which in turn pulls in spring-security-jwt?

nenaraab commented 5 years ago

@Holdo Thanks for reporting! will exclude the dependency to bouncy castle if possible!

@frzme I've also recognized that stupid dependency yesterday and fixed it already in master.

nenaraab commented 5 years ago

spring-boot-starter has no longer dependency to spring-security-jwt - see https://github.com/SAP/cloud-security-xsuaa-integration/commit/7ab2630eb0101ce711f803e4edee0cfa87a67ff9

and spring-xsuaa-mock has no longer a dependency to spring-security-jwt - see https://github.com/SAP/cloud-security-xsuaa-integration/commit/fe277f33734af72d7e81962734c0ef3de9d77ace

only spring-xsuaa-test has a dependency but this should be added with test scope and is uncritical. Still I've upgraded to the latest released version with https://github.com/SAP/cloud-security-xsuaa-integration/commit/f642e814fe66f2139043e0ffcff0d17bcbba2bdc

All of these changes will be available with the next released version 2.1.0 very soon.

nenaraab commented 5 years ago

Release 2.1.0 available on maven central