I already raise the same issue in Spring Project but just in case I'm posting it here as well. Spring framework has the bouncy castle as a dependency library whose issue is registered as a CVE The vulnerability has already patched on version 1.6.7 whereas Spring remains in 1.6.6 and I couldn't find any issue or PR mentioning it so I raise an issue here
Comment From: jzheaux
A couple of things to note:
- Spring Security does not use
OpenBSDBcryptand so is not affected by this CVE - The
5.4.xbranch uses the indicated Bouncycastle version, butmasterhas already been updated to 1.67
Comment From: rwinch
As mentioned above, all supported versions of Spring Security are using fixed versions of bouncycastle. In the future, please ensure to use our security policy when reporting anything that might be a vulnerability https://github.com/spring-projects/spring-security/security/policy