Closed vdenotaris closed 4 years ago
ogarber
commented
4 years ago Hi,
I'm just wondering - are there any plans to address this issue? Sorry for asking but my product marked as vulnerable due to this problem. And I want to know - what options do I have...
rwinch
commented
4 years ago There isn't really a way to avoid HTTPClient 3.1 without doing a major release (we cannot update ta dependency to a new major version unless we provide a new major release). There are also CVEs in OpenSaml 1.x which is in the API signature of many of the APIs. In short, there isn't much we can do in a patch release.
Instead, you should update to use the SAML support in Spring Security proper which fixes these vulnerabilities https://docs.spring.io/spring-security/site/docs/5.3.0.RELEASE/reference/html5/#servlet-saml2
Affected versions of this package are vulnerable to Man-in-the-Middle attacks due to not verifying that the requesting server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
See: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783
Dependency tree: