Spring Security CVE-2018-1258 spring-security-core-5.6.1.jar spring-security-saml2-service-provider-5.6.1.jar

Hello Spring Security SAML Team,

Hope this message finds you well, finger crossed everything is fine on your side. I am currently having a project that is SpringBoot 2.6.2 + SpringCloud 2021.0.0 In my project, I am using saml2 provider, as follow:

<dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-saml2-service-provider</artifactId>
        </dependency>

Looking at the result of maven dependency:list I do see

[INFO]    org.springframework.security:spring-security-saml2-service-provider:jar:5.6.1:compile -- module spring.security.saml2.service.provider [auto]
[INFO]    org.springframework.security:spring-security-web:jar:5.6.1:compile -- module spring.security.web [auto]
[INFO]    org.springframework.security:spring-security-core:jar:5.6.1:compile -- module spring.security.core [auto]

This is quite strange, as I believe CVE-2018-1258 was created for this. Wanted to open an issue, ss the SpringBoot and SpringCloud versions I am using is pretty up to date

Thank you

Comment From: jzheaux

Hi, @patpatpat123, thanks for reaching out.

I'm not clear yet on what your concern is. It appears that you are using the latest spring-security-saml2-service-provider. I'm not clear on how this relates to the earlier version of spring-core that the CVE references.

Comment From: patpatpat123

Hello @jzheaux,

Thank you for jumping on this issue, happy new year. I misunderstood and thought the CVE was applicable to even the latest version, and wanted to be safe than sorry. Thank you for your explanation and closing