Security Vulnerability in com.sap.cloud.security version 2.7.7

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.

Apache License 2.0

151 stars 135 forks source link

Security Vulnerability in com.sap.cloud.security version 2.7.7 #397

Closed SwethaBalu closed 4 years ago

SwethaBalu commented 4 years ago

Hi,

We are using the artifacts xsuaa-spring-boot-starter and java-security-test from group com.sap.cloud.security of version 2.7.7

We have the following security vulnerabilities reported by white source.

In xsuaa-spring-boot-starter (2.7.7) there is a vulnerability reported on Nimbus-JOSE-JWT 7.8.1
CVE-2019-17195 Link to vulnerability : https://nvd.nist.gov/vuln/detail/CVE-2019-17195
In java-security-test (2.7.7) , there is a vulnerability reported on JUnit 4.12
CVE-2020-15250 Link to vulnerability : https://nvd.nist.gov/vuln/detail/CVE-2020-15250

Is there any fix planned for this issues?

Regards, Swetha

Is there any fix planned for this issue?

Regards,

Swetha

santoshkashyap commented 4 years ago

The issue also seems to be present( via transitive dependencies) in the most recent release 2.7.8:

As a workaround would it be fine if we use exclusions with maven dependency and provide separately for nimbus?

<dependency>
            <groupId>com.sap.cloud.security.xsuaa</groupId>
            <artifactId>xsuaa-spring-boot-starter</artifactId>
            <version>${sap.security.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>com.nimbusds</groupId>
                    <artifactId>nimbus-jose-jwt</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>com.nimbusds</groupId>
            <artifactId>nimbus-jose-jwt</artifactId>
            <version>${nimbus-jose-jwt.version}</version>
        </dependency>

Similarly for Junit 4.12 ?

Regards, Santosh

nenaraab commented 4 years ago

Hi @santoshkashyap

thanks for reporting! Sure, you can always overrule the spring-boot-starter version or single transient dependencies. We are going to fix the version with the next version.

Best regards, Nena

nenaraab commented 4 years ago

hi @liga-oz can you please take over? Thanks a lot, Nena

liga-oz commented 4 years ago

Hi @SwethaBalu @santoshkashyap ,

with release 2.7.9

Junit version updated 4.12 -> 4.13.1 https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/pom.xml#L74

with release 2.7.7

spring.security.version updated 5.3.3.RELEASE --> 5.3.4.RELEASE https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/pom.xml#L61 5.3.4.RELEASE contains transitive dependency of nimbus-jose-jwt version 8.19

If you still see the old versions, please check which of your dependencies are overriding cloud-security-xsuaa-integration library version values and update them accordingly.

Best Regards, Liga Ozolina