blogSpringBoot icon indicating copy to clipboard operation
blogSpringBoot copied to clipboard
verified publisher icon lurenha

Dependency org.springframework.security:spring-security-core, leading to CVE problem

Open CVEDetect opened this issue 2 years ago • 0 comments

Hi, In /,there is a dependency org.springframework.security:spring-security-core:5.1.5.RELEASE that calls the risk method.

CVE-2020-5408

The scope of this CVE affected version is ** [5.3.0.RELEASE, 5.3.2.RELEASE) [5.2.0.RELEASE, 5.2.4.RELEASE) [5.1.0.RELEASE, 5.1.10.RELEASE) [5.0.0.RELEASE, 5.0.16.RELEASE) [4.2.0.RELEASE, 4.2.16.RELEASE)**

After further analysis, in this project, the main Api called is org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder: encode(java.lang.CharSequence)Ljava.lang.String;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

CVE Bug Invocation Path : 
com.peng.security.JwtAuthenticationFilter: doFilterInternal(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,javax.servlet.FilterChain)V .m2/repository/org/mybatis/spring/boot/mybatis-spring-boot-starter/2.0.1/mybatis-spring-boot-starter-2.0.1.jar
org.springframework.security.web.authentication.www.BasicAuthenticationFilter: doFilterInternal(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,javax.servlet.FilterChain)V .m2/repository/org/mybatis/spring/boot/mybatis-spring-boot-starter/2.0.1/mybatis-spring-boot-starter-2.0.1.jar
org.springframework.security.authentication.ProviderManager: authenticate(org.springframework.security.core.Authentication)Lorg.springframework.security.core.Authentication; .m2/repository/org/springframework/security/spring-security-core/5.1.5.RELEASE/spring-security-core-5.1.5.RELEASE.jar
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider: authenticate(org.springframework.security.core.Authentication)Lorg.springframework.security.core.Authentication; .m2/repository/org/springframework/security/spring-security-core/5.1.5.RELEASE/spring-security-core-5.1.5.RELEASE.jar
org.springframework.security.authentication.dao.DaoAuthenticationProvider: createSuccessAuthentication(java.lang.Object,org.springframework.security.core.Authentication,org.springframework.security.core.userdetails.UserDetails)Lorg.springframework.security.core.Authentication; .m2/repository/org/springframework/security/spring-security-core/5.1.5.RELEASE/spring-security-core-5.1.5.RELEASE.jar
org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder: encode(java.lang.CharSequence)Ljava.lang.String;

Dependency tree--

[INFO] com.peng:MyBlogApplication:jar:2.2.2-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.1.5.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.1.5.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.5.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.11.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile
[INFO] |  |  +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.23:runtime
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.1.5.RELEASE:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.8:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.8:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.8:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.1.5.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.19:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.19:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.19:compile
[INFO] |  +- org.hibernate.validator:hibernate-validator:jar:6.0.16.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] |  |  \- com.fasterxml:classmate:jar:1.4.0:compile
[INFO] |  +- org.springframework:spring-web:jar:5.1.7.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.1.7.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.1.7.RELEASE:compile
[INFO] |     +- org.springframework:spring-context:jar:5.1.7.RELEASE:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.1.7.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-amqp:jar:2.1.5.RELEASE:compile
[INFO] |  +- org.springframework:spring-messaging:jar:5.1.7.RELEASE:compile
[INFO] |  \- org.springframework.amqp:spring-rabbit:jar:2.1.6.RELEASE:compile
[INFO] |     +- org.springframework.amqp:spring-amqp:jar:2.1.6.RELEASE:compile
[INFO] |     |  \- org.springframework.retry:spring-retry:jar:1.2.4.RELEASE:compile
[INFO] |     +- com.rabbitmq:amqp-client:jar:5.4.3:compile
[INFO] |     \- org.springframework:spring-tx:jar:5.1.7.RELEASE:compile
[INFO] +- commons-io:commons-io:jar:2.7:compile
[INFO] +- com.qiniu:qiniu-java-sdk:jar:7.2.29:compile
[INFO] |  +- com.squareup.okhttp3:okhttp:jar:3.14.4:runtime
[INFO] |  |  \- com.squareup.okio:okio:jar:1.17.2:runtime
[INFO] |  \- com.google.code.gson:gson:jar:2.8.5:runtime
[INFO] +- org.projectlombok:lombok:jar:1.18.6:provided
[INFO] +- org.springframework.boot:spring-boot-devtools:jar:2.1.5.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.1.5.RELEASE:compile
[INFO] |  \- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.5.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.1.5.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.1.5.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.1.5.RELEASE:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.3:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:1.2:test
[INFO] |  |        \- org.ow2.asm:asm:jar:5.0.4:test
[INFO] |  +- junit:junit:jar:4.12:test
[INFO] |  +- org.assertj:assertj-core:jar:3.11.1:test
[INFO] |  +- org.mockito:mockito-core:jar:2.23.4:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.9.12:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.9.12:test
[INFO] |  |  \- org.objenesis:objenesis:jar:2.6:test
[INFO] |  +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] |  +- org.hamcrest:hamcrest-library:jar:1.3:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-core:jar:5.1.7.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.1.7.RELEASE:compile
[INFO] |  +- org.springframework:spring-test:jar:5.1.7.RELEASE:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.6.2:test
[INFO] |     \- javax.xml.bind:jaxb-api:jar:2.3.1:test
[INFO] |        \- javax.activation:javax.activation-api:jar:1.2.0:test
[INFO] +- com.baomidou:mybatis-plus-boot-starter:jar:3.3.1.tmp:compile
[INFO] |  +- com.baomidou:mybatis-plus:jar:3.3.1.tmp:compile
[INFO] |  |  \- com.baomidou:mybatis-plus-extension:jar:3.3.1.tmp:compile
[INFO] |  |     \- com.baomidou:mybatis-plus-core:jar:3.3.1.tmp:compile
[INFO] |  |        \- com.baomidou:mybatis-plus-annotation:jar:3.3.1.tmp:compile
[INFO] |  \- org.springframework.boot:spring-boot-starter-jdbc:jar:2.1.5.RELEASE:compile
[INFO] |     +- com.zaxxer:HikariCP:jar:3.2.0:compile
[INFO] |     \- org.springframework:spring-jdbc:jar:5.1.7.RELEASE:compile
[INFO] +- com.github.pagehelper:pagehelper-spring-boot-starter:jar:1.2.12:compile
[INFO] |  +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:2.0.1:compile
[INFO] |  |  +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:2.0.1:compile
[INFO] |  |  +- org.mybatis:mybatis:jar:3.5.1:compile
[INFO] |  |  \- org.mybatis:mybatis-spring:jar:2.0.1:compile
[INFO] |  +- com.github.pagehelper:pagehelper-spring-boot-autoconfigure:jar:1.2.12:compile
[INFO] |  \- com.github.pagehelper:pagehelper:jar:5.1.10:compile
[INFO] |     \- com.github.jsqlparser:jsqlparser:jar:2.0:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.16:compile
[INFO] +- com.alibaba:druid-spring-boot-starter:jar:1.1.13:compile
[INFO] |  +- com.alibaba:druid:jar:1.1.13:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.26:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring5:jar:3.0.11.RELEASE:compile
[INFO] |  |  \- org.thymeleaf:thymeleaf:jar:3.0.11.RELEASE:compile
[INFO] |  |     +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile
[INFO] |  |     \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile
[INFO] |  \- org.thymeleaf.extras:thymeleaf-extras-java8time:jar:3.0.4.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-aop:jar:2.1.5.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.1.7.RELEASE:compile
[INFO] |  \- org.aspectj:aspectjweaver:jar:1.9.4:compile
[INFO] +- net.sf.json-lib:json-lib:jar:jdk15:2.4:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.8.0:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  \- net.sf.ezmorph:ezmorph:jar:1.0.6:compile
[INFO] +- com.auth0:java-jwt:jar:3.4.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.8:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.8:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.11:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-redis:jar:2.1.5.RELEASE:compile
[INFO] |  +- org.springframework.data:spring-data-redis:jar:2.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework.data:spring-data-keyvalue:jar:2.1.8.RELEASE:compile
[INFO] |  |  |  \- org.springframework.data:spring-data-commons:jar:2.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-oxm:jar:5.1.7.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-context-support:jar:5.1.7.RELEASE:compile
[INFO] |  \- io.lettuce:lettuce-core:jar:5.1.6.RELEASE:compile
[INFO] |     +- io.netty:netty-common:jar:4.1.36.Final:compile
[INFO] |     +- io.netty:netty-handler:jar:4.1.36.Final:compile
[INFO] |     |  +- io.netty:netty-buffer:jar:4.1.36.Final:compile
[INFO] |     |  \- io.netty:netty-codec:jar:4.1.36.Final:compile
[INFO] |     +- io.netty:netty-transport:jar:4.1.36.Final:compile
[INFO] |     |  \- io.netty:netty-resolver:jar:4.1.36.Final:compile
[INFO] |     \- io.projectreactor:reactor-core:jar:3.2.9.RELEASE:compile
[INFO] |        \- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:5.1.5.RELEASE:compile
[INFO] |  |  \- org.springframework.security:spring-security-core:jar:5.1.5.RELEASE:compile
[INFO] |  \- org.springframework.security:spring-security-web:jar:5.1.5.RELEASE:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.73:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.14:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] \- org.eclipse.jetty:jetty-util:jar:9.3.7.v20160115:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect avatar Mar 18 '23 03:03 CVEDetect