Spring Security CVE-2017-15708 commons-collections-3.2.1.jar

Hello Spring Security Team,

Wanted to open a possible issue if you allow me.

During a very basic dependency tree check on couple of projects using Spring Boot 2.6.x, I am seeing the following:

         [INFO] +- org.springframework.security:spring-security-saml2-service-provider:jar:5.6.2:compile
         [INFO] |  +- org.springframework.security:spring-security-web:jar:5.6.2:compile
         [INFO] |  |  \- org.springframework.security:spring-security-core:jar:5.6.2:compile
         [INFO] |  +- org.opensaml:opensaml-core:jar:3.4.6:compile
         [INFO] |  |  +- joda-time:joda-time:jar:2.9:compile
         [INFO] |  |  +- io.dropwizard.metrics:metrics-core:jar:4.2.8:compile
         [INFO] |  |  +- net.shibboleth.utilities:java-support:jar:7.5.2:compile
         [INFO] |  |  |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
         [INFO] |  |  |  \- com.google.guava:guava:jar:20.0:compile
         [INFO] |  |  \- commons-codec:commons-codec:jar:1.15:compile
         [INFO] |  +- org.opensaml:opensaml-saml-api:jar:3.4.6:compile
         [INFO] |  |  +- org.opensaml:opensaml-xmlsec-api:jar:3.4.6:compile
         [INFO] |  |  |  \- org.opensaml:opensaml-security-api:jar:3.4.6:compile
         [INFO] |  |  +- org.opensaml:opensaml-soap-api:jar:3.4.6:compile
         [INFO] |  |  +- org.opensaml:opensaml-messaging-api:jar:3.4.6:compile
         [INFO] |  |  +- org.opensaml:opensaml-profile-api:jar:3.4.6:compile
         [INFO] |  |  \- org.opensaml:opensaml-storage-api:jar:3.4.6:compile
         [INFO] |  \- org.opensaml:opensaml-saml-impl:jar:3.4.6:compile
         [INFO] |     +- org.opensaml:opensaml-security-impl:jar:3.4.6:compile
         [INFO] |     +- org.opensaml:opensaml-xmlsec-impl:jar:3.4.6:compile
         [INFO] |     |  +- org.apache.santuario:xmlsec:jar:2.0.10:compile
         [INFO] |     |  |  \- com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile
         [INFO] |     |  |     \- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
         [INFO] |     |  \- org.cryptacular:cryptacular:jar:1.1.4:compile
         [INFO] |     +- org.opensaml:opensaml-soap-impl:jar:3.4.6:compile
         [INFO] |     \- org.apache.velocity:velocity:jar:1.7:compile
         [INFO] |        +- commons-collections:commons-collections:jar:3.2.1:compile
         [INFO] |        \- commons-lang:commons-lang:jar:2.4:compile

Note, you can see the presence of commons-collections:commons-collections:jar:3.2.1 Note completely sure, but I thought 3.2.1 is a vulnerable version.

https://nvd.nist.gov/vuln/detail/CVE-2017-15708

I was wondering, can this be an issue please? Also, is there a way to update to a proper version from Spring Security? Or is there a way to update, or exclude the version from my projects?

Thank you

Comment From: jzheaux

Thanks for reaching out, @patpatpat123. The dependency you are referring to is based on an OpenSAML version that is EOL. It's recommended that you use the latest supported OpenSAML version. Alternatively, you can manage your commons-collections dependency to 3.2.2 where the vulnerability is addressed.

Comment From: patpatpat123

Thank you!