Closed patpatpat123 closed 2 years ago
mp911de
commented
2 years ago All the mentioned CVEs target early Spring 4.0 versions where the most recent CVE CVE-2014-0054 has been fixed with Spring Framework 4.0.2 while Spring Vault 2.3.2 depends on Spring Framework 5.3.5.
That being said, these CVEs have been addressed at least 8 years ago. Some component within your scanning chain is either not up to date or there is a different kind of issue which we cannot solve as Spring team.
patpatpat123
commented
2 years ago If I may add some facts
https://github.com/patpatpat123/springvaultcve
Do you mind cloning/downloading this repo please?
Then, please run: ./mvnw clean install dependency:tree
Question: Are you able to see something like: spring-vault-core-2.3.2.jar (pkg:maven/org.springframework.vault/spring-vault-core@2.3.2, cpe:2.3:a:vmware:spring_framework:2.3.2:::::::*) : CVE-2013-4152, CVE-2013-7315, CVE-2014-0054
Thank you
Hello Spring Vault Team,
it is my first message in this repo, so, first of all, I would like to say a big thanks for this project.
Just wanted to highlight an issue if you allow me.
I am running my Spring Boot 2.6.6 + Jubilee 2021.0.1 (most recent as of this writing)
I am also running couple of static analysis tools, such as Black Duck, SonarQube, OWASP Dependency check, etc on both this repo standalone, and on my Spring Boot app.
In all occurrences, I am being flagged with those CVE on the version 2.3.2 (Verified Spring Cloud dependency2.3.2</spring-vault.version>)
CVE-2013-4152 CVE-2013-7315 CVE-2014-0054
Would it be possible to help fix those issues please?
Thank you!