With version 3.1.5 of spring-cloud-openfeign that ships with Spring Cloud 2021.0.5, the spring-cloud-openfeign-dependencies POM pins the version of spring-security-oauth2-client to 5.7.3.
This causes the following issues:
- When importing the spring-cloud-dependencies POM in a Spring Boot 2.6.x Maven project, it will resolve the version of spring-security-oauth2-client as 5.7.3, which is
- probably incompatible with Spring Security 5.6.x that is used by spring-boot-starter-security from Spring Boot 2.6.x
- still affected by CVE-2022-31690, which was fixed by Spring Security 5.6.9 and 5.7.5.
- When importing the spring-cloud-dependencies POM in a Spring Boot 2.7.x Maven project, the same happens - even if overwriting the Maven property
spring-security.versionwith5.7.5in the application Maven POM itself - an thus will also introduce CVE-2022-31690.
As a work around, the second problem can be fixed by not only overwriting the Maven property spring-security.version, but also declaring a dependency management for spring-security-oauth2-client using this version in the application Maven POM itself.
We don't know what to do in the first situation:
* Should we overwriting the Maven property spring-security.version with 5.6.9 in the application Maven POM itself and also declaring a dependency management for spring-security-oauth2-client using this version? Would this be compatible with spring-cloud-openfeign 3.1.5, which says it wants to use spring-security-oauth2-client 5.7.3?
* Should we overwriting the Maven property spring-security.version with 5.6.9 in the application Maven POM itself and declaring a dependency management for spring-security-oauth2-client using 5.7.5? Would this be OK or cause problems in the 5.6.9 Spring Security stack?
Comment From: OlgaMaciaszek
Thanks for reporting the issue, @stefanscheidt. That's right. In fact, we should not be managing the version of this dependency at all. I'm going to remove this from the SC OpenFeign dependencies pom, so that it's pulled directly from Boot.