CVE-2022-31692 detected on spring-security-core but should be spring-security-web only #5122
Replies: 2 comments 5 replies
-
|
Hi @mischa-n I created the following pom.xml: <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>test</groupId>
<artifactId>test</artifactId>
<name>test</name>
<dependencies>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>5.7.0</version>
</dependency>
</dependencies>
</project>And Trivy correctly detected vulnerabilities: trivy fs . -f json | jq '.Results[].Vulnerabilities[] | { VulnerabilityID, PkgID }'
2023-09-05T15:24:56.480+0700 INFO Vulnerability scanning is enabled
2023-09-05T15:24:56.480+0700 INFO Secret scanning is enabled
2023-09-05T15:24:56.480+0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-09-05T15:24:56.480+0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-09-05T15:24:57.698+0700 INFO Number of language-specific files: 1
2023-09-05T15:24:57.698+0700 INFO Detecting pom vulnerabilities...
{
"VulnerabilityID": "CVE-2023-34034",
"PkgID": "org.springframework.security:spring-security-core:5.7.0"
}
{
"VulnerabilityID": "CVE-2022-31690",
"PkgID": "org.springframework.security:spring-security-core:5.7.0"
}
{
"VulnerabilityID": "CVE-2023-20862",
"PkgID": "org.springframework.security:spring-security-core:5.7.0"
}
{
"VulnerabilityID": "CVE-2022-31692",
"PkgID": "org.springframework.security:spring-security-web:5.7.0"
}
{
"VulnerabilityID": "CVE-2023-20861",
"PkgID": "org.springframework:spring-core:5.3.20"
}
{
"VulnerabilityID": "CVE-2023-20863",
"PkgID": "org.springframework:spring-core:5.3.20"
}
{
"VulnerabilityID": "CVE-2016-1000027",
"PkgID": "org.springframework:spring-web:5.3.20"
}I also built a docker image with an artifact based on the following pom.xml with spring security version 5.7.10: <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.15</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>17</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
But Trivy does not find vulnerability: cat report.json | jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID == "CVE-2022-31692") | {PkgName,InstalledVersion}' |
Beta Was this translation helpful? Give feedback.
-
|
Hello Nikita, thank you very much for your starting point. I will try to make adjustments from here until the error occurs. |
Beta Was this translation helpful? Give feedback.
-
|
Hello Nikita, I was able to reproduce the problem. It looks like when building the image, the versions of locally declared dependencies are not correctly determined when they are defined via a BOM import. The versions of these dependencies are then documented as version 0.0.0. Example: We typically don't use spring-boot-parent, but define a separate parent module where we define the versions this way. |
Beta Was this translation helpful? Give feedback.
-
|
@mischa-n Can you give an example of how you create an image? |
Beta Was this translation helpful? Give feedback.
-
|
I hope I have understood the question correctly. In the POM we define and then the image is built via |
Beta Was this translation helpful? Give feedback.
-
|
@mischa-n Thanks, I reproduced the problem! |
Beta Was this translation helpful? Give feedback.
-
|
Track #5169 |
Beta Was this translation helpful? Give feedback.
-
IDs
CVE-2022-31692
Description
This is a follow-up ticket for https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/issues/245
In an image with Spring Security 5.7.9 or 5.7.10, Trivy incorrectly finds CVE-2022-31692 in spring-security-core (and correctly does not find it in spring-security-web).
The cause could be an incorrect interpretation of https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.springframework.security/spring-security-core/CVE-2022-31692.yml?ref_type=heads#L11 affected_range: "(0)": this is supposed to signal that no version is affected.
On the other hand, Trivy does not seem to find the CVE when using Spring Security 6.x.x, so the situation or cause is not entirely clear.
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Target OS
ubuntu: os version: 18.04
Debug Output
2023-09-05 07:50:37 { 2023-09-05 07:50:37 "VulnerabilityID": "CVE-2022-31692", 2023-09-05 07:50:37 "PkgName": "org.springframework.security:spring-security-core", 2023-09-05 07:50:37 "FixedVersion": "5.6.9, 5.7.5", 2023-09-05 07:50:37 "Status": "fixed", 2023-09-05 07:50:37 "Layer": { 2023-09-05 07:50:37 "DiffID": "sha256:###" 2023-09-05 07:50:37 }, 2023-09-05 07:50:37 "SeveritySource": "nvd", 2023-09-05 07:50:37 "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-31692", 2023-09-05 07:50:37 "PkgRef": "pkg:maven/org.springframework.security/spring-security-core?package-id=d9715c3dae047259", 2023-09-05 07:50:37 "DataSource": { 2023-09-05 07:50:37 "ID": "glad", 2023-09-05 07:50:37 "Name": "GitLab Advisory Database Community", 2023-09-05 07:50:37 "URL": "https://gitlab.com/gitlab-org/advisories-community" 2023-09-05 07:50:37 }, 2023-09-05 07:50:37 "Title": "Authorization rules can be bypassed via forward or include dispatcher types in Spring Security", 2023-09-05 07:50:37 "Description": "Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)", 2023-09-05 07:50:37 "Severity": "CRITICAL", 2023-09-05 07:50:37 "CVSS": { 2023-09-05 07:50:37 "ghsa": { 2023-09-05 07:50:37 "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2023-09-05 07:50:37 "V3Score": 9.8 2023-09-05 07:50:37 }, 2023-09-05 07:50:37 "nvd": { 2023-09-05 07:50:37 "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", 2023-09-05 07:50:37 "V3Score": 9.8 2023-09-05 07:50:37 }, 2023-09-05 07:50:37 "redhat": { 2023-09-05 07:50:37 "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", 2023-09-05 07:50:37 "V3Score": 7.4 2023-09-05 07:50:37 } 2023-09-05 07:50:37 }, 2023-09-05 07:50:37 "References": [ 2023-09-05 07:50:37 "https://access.redhat.com/security/cve/CVE-2022-31692", 2023-09-05 07:50:37 "https://github.com/advisories/GHSA-mmmh-wcxm-2wr4", 2023-09-05 07:50:37 "https://github.com/spring-projects/spring-security", 2023-09-05 07:50:37 "https://nvd.nist.gov/vuln/detail/CVE-2022-31692", 2023-09-05 07:50:37 "https://security.netapp.com/advisory/ntap-20221215-0010/", 2023-09-05 07:50:37 "https://spring.io/security/cve-2022-31692", 2023-09-05 07:50:37 "https://tanzu.vmware.com/security/cve-2022-31692", 2023-09-05 07:50:37 "https://www.cve.org/CVERecord?id=CVE-2022-31692" 2023-09-05 07:50:37 ], 2023-09-05 07:50:37 "PublishedDate": "2022-10-31T20:15:00Z", 2023-09-05 07:50:37 "LastModifiedDate": "2023-08-08T14:22:00Z" 2023-09-05 07:50:37 }Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions