Describe the bug
Since the CVEs started to fail, we need to urgently update the spring-security-* artifacts from 5.7.4 → 5.7.5 (see https://spring.io/blog/2022/10/31/cve-2022-31692-authorization-rules-can-be-bypassed-via-forward-or-include-in-spring-security).
The current problematic parts in the dependencies tree look like this:
+- org.springframework.boot:spring-boot-starter-security:jar:2.7.5:compile
| +- org.springframework:spring-aop:jar:5.3.23:compile
| +- org.springframework.security:spring-security-config:jar:5.7.4:compile
| \- org.springframework.security:spring-security-web:jar:5.7.4:compile
| \- org.springframework:spring-expression:jar:5.3.23:compile
and
+- org.springframework.security:spring-security-test:jar:5.7.4:test
| \- org.springframework.security:spring-security-core:jar:5.7.4:compile
| \- org.springframework.security:spring-security-crypto:jar:5.7.4:compile
According to https://docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/reference/html/get-spring-security.html and https://docs.spring.io/spring-security/reference/getting-spring-security.html#getting-maven-boot, we should be able to override the spring-security-* artifacts with setting the <spring-security.version> property.
Using any of this in the root pom.xml has not helped:
<spring-security.version>5.7.5</spring-security.version>
<spring-security-test.version>5.7.5</spring-security-test.version>
To Reproduce
See the sample project below, you may execute the mvn dependency:tree to check the dependencies.
Expected behavior
There is a simple way to override the artifacts version, hopefully with <spring-security.version>5.7.5</spring-security.version> as in the documentation.
Sample
This is a sample project with a configuration similar to my problematic project — https://github.com/dmitry-weirdo/spring-boot-thymeleaf-test. I used it for the similar problem of non-working Thymeleaf version override (see https://github.com/spring-projects/spring-boot/issues/28893).
Comment From: dmitry-weirdo
Update: looks like when we're not inheriting from the Spring Boot's parent POM, we have to explicitly set the version for each of the dependency (see https://docs.spring.io/spring-boot/docs/current/maven-plugin/reference/htmlsingle/#using.import),
This update has helped (see the commit https://github.com/dmitry-weirdo/spring-boot-thymeleaf-test/commit/a812b41bbc002a9c7a3685ccbe6bbb1b1e905943):
<!-- Override spring-security version provided by Spring Boot -->
<!-- see https://docs.spring.io/spring-boot/docs/current/maven-plugin/reference/htmlsingle/#using.import -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>${spring-security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-crypto</artifactId>
<version>${spring-security.version}</version>
</dependency>
Comment From: wilkinsona
@dmitry-weirdo You may want to import Spring Security's bom rather than having to manage the versions of individual modules:
diff --git a/pom.xml b/pom.xml
index f933c36..c62a4af 100644
--- a/pom.xml
+++ b/pom.xml
@@ -134,28 +134,10 @@
<!-- see https://docs.spring.io/spring-boot/docs/current/maven-plugin/reference/htmlsingle/#using.import -->
<dependency>
<groupId>org.springframework.security</groupId>
- <artifactId>spring-security-config</artifactId>
- <version>${spring-security.version}</version>
- </dependency>
- <dependency>
- <groupId>org.springframework.security</groupId>
- <artifactId>spring-security-web</artifactId>
- <version>${spring-security.version}</version>
- </dependency>
- <dependency>
- <groupId>org.springframework.security</groupId>
- <artifactId>spring-security-test</artifactId>
- <version>${spring-security.version}</version>
- </dependency>
- <dependency>
- <groupId>org.springframework.security</groupId>
- <artifactId>spring-security-core</artifactId>
- <version>${spring-security.version}</version>
- </dependency>
- <dependency>
- <groupId>org.springframework.security</groupId>
- <artifactId>spring-security-crypto</artifactId>
+ <artifactId>spring-security-bom</artifactId>
<version>${spring-security.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
</dependency>
Comment From: AkselAllas
I think the real issue that needs fixing is that we don't have a release of spring-boot-starter-security which includes a fix for cve-2022-31692.
Need an issue to track this problem. Either reopen this issue or create a new one in the correct place 🤔
Comment From: MathisPct
I think the real issue that needs fixing is that we don't have a release of spring-boot-starter-security which includes a fix for cve-2022-31692.
Need an issue to track this problem. Either reopen this issue or create a new one in the correct place 🤔
Agree with you. For now, there are no dependencies updates of spring-security for spring-boot-security-starter. I think it can be a good idea to reopen the issue @dmitry-weirdo
Comment From: MathisPct
See the issue here https://github.com/spring-projects/spring-boot/issues/32983