Spring Security How to resolve CVE-2023-2976 vulnerability in Maven dependency com.google.guava:guava:31.1-jre with Spring Security 6.2.1?

Describe the bug I recently encountered a vulnerability in my Maven project while adding a dependency to my pom.xml. The vulnerability is reported as CVE-2023-2976 with a severity level of High, indicating a "Files or Directories Accessible to External Parties" vulnerability. The problematic dependency is com.google.guava:guava:31.1-jre.

To Reproduce Steps to reproduce the behavior.

Expected behavior I attempted to mitigate the vulnerability by excluding the problematic dependency as follows:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-saml2-service-provider</artifactId>
    <exclusions>
        <exclusion>
            <groupId>org.opensaml</groupId>
            <artifactId>opensaml-core</artifactId>
        </exclusion>
    </exclusions>
</dependency

Comment From: sjohnr

@doukhahmed thanks for reaching out.

From our perspective, com.google.guava:guava:31.1-jre is a transitive dependency of org.opensaml:opensaml-core:4.3.0 which is the latest available, so you would want to direct your query to the OpenSAML team. You may also try managing the version of guava yourself to a higher version, but you may encounter compatibility issues.