incubator-seata
incubator-seata copied to clipboard
apache
【高危漏洞】Spring Security认证绕过漏洞(CVE-2022-22978)
- [ ] I have searched the issues of this repository and believe that this is not a duplicate.
Ⅰ. Issue Description
在阿里云安全漏洞扫描中被扫描出的高危漏洞,在最新版本、以及v1.5.2中仍然会出现此漏洞,希望能尽快升级Spring Security到指定版本!
Ⅲ. Describe what you expected to happen
Ⅳ. How to reproduce it (as minimally and precisely as possible)
目前此漏洞已经修复,建议受影响用户升级更新到以下修复版本: Spring Security 5.5.x >= 5.5.7 Spring Security 5.6.x >= 5.6.4 Spring Security >= 5.7 下载链接: https://github.com/spring-projects/spring-security/tags
Ⅴ. Anything else we need to know?
Ⅵ. Environment:
- JDK version :
- Seata version:
- OS :
- Others:
[INFO] -----------------------< io.seata:seata-server >------------------------ [INFO] Building seata-server 1.6.0-SNAPSHOT 1.6.0-SNAPSHOT [80/84] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ seata-server --- [INFO] Verbose not supported since maven-dependency-plugin 3.0 [INFO] io.seata:seata-server:jar:1.6.0-SNAPSHOT [INFO] - io.seata:seata-console:jar:1.6.0-SNAPSHOT:compile [INFO] - org.springframework.boot:spring-boot-starter-security:jar:2.4.13:compile [INFO] +- org.springframework.security:spring-security-config:jar:5.4.9:compile [INFO] | - org.springframework.security:spring-security-core:jar:5.4.9:compile [INFO] - org.springframework.security:spring-security-web:jar:5.4.9:compile [INFO] [INFO] ------------------------< io.seata:seata-test >------------------------- [INFO] Building seata-test 1.6.0-SNAPSHOT 1.6.0-SNAPSHOT [81/84] [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- maven-dependency-plugin:3.0.2:tree (default-cli) @ seata-test --- [INFO] Verbose not supported since maven-dependency-plugin 3.0 [INFO] io.seata:seata-test:jar:1.6.0-SNAPSHOT [INFO] - io.seata:seata-server:jar:1.6.0-SNAPSHOT:compile [INFO] - io.seata:seata-console:jar:1.6.0-SNAPSHOT:compile [INFO] - org.springframework.boot:spring-boot-starter-security:jar:2.4.13:compile [INFO] +- org.springframework.security:spring-security-config:jar:5.4.9:compile [INFO] | - org.springframework.security:spring-security-core:jar:5.4.9:compile [INFO] - org.springframework.security:spring-security-web:jar:5.4.9:compile [INFO]
@Barbifer I personally understand that spring-security-web:5.4.9 is not affected, is it?
你好!如下图所示,红色方框内的版本应该是包含了5.4.9版本的,所以应该是受影响的,否则贵公司旗下的阿里云业务不会扫描出高危漏洞,同时因为此漏洞原因我们平台无法审核通过等保,请问我是应该联系阿里云的工作人员还是有其他的方式解决此问题呢,望告知,抱歉叨扰了!
------------------ 原始邮件 ------------------ 发件人: @.>; 发送时间: 2022年8月17日(星期三) 中午12:43 收件人: @.>; 抄送: @.>; @.>; 主题: Re: [seata/seata] 【高危漏洞】Spring Security认证绕过漏洞(CVE-2022-22978) (Issue #4869)
@Barbifer我个人理解spring-security-web:5.4.9不受影响,是吗?
— 直接回复此邮件,在 GitHub 上查看,或取消订阅。 你收到这个是因为你被提到了。消息 ID:<seata/seata/issues/4869/1217454904 @ github 。com>
@Barbifer Please upgrade spring-security if necessary, the next version of Seata will fix it.
OK、感谢!
------------------ 原始邮件 ------------------ 发件人: @.>; 发送时间: 2022年8月17日(星期三) 下午2:46 收件人: @.>; 抄送: @.>; @.>; 主题: Re: [seata/seata] 【高危漏洞】Spring Security认证绕过漏洞(CVE-2022-22978) (Issue #4869)
@Barbifer如有需要请升级spring-security,下一版Seata会修复。
— 直接回复此邮件,在 GitHub 上查看,或取消订阅。 你收到这个是因为你被提到了。消息 ID:<seata/seata/issues/4869/1217529500 @ github 。com>
@liuqiufeng assign to you.
What version should I upgrade to? 5.5.x or 5.6.x or 5.7?
@liuqiufeng assign to you.
What version should I upgrade to? 5.5.x or 5.6.x or 5.7?
Separate upgrades to the minimum version of Spring Security are guaranteed to be compatible with existing versions of SpringBoot.
单独升级Spring Security 到最小的无漏洞版本,同时要保证与SpringBoot的现有版本兼容。
@liuqiufeng assign to you.
What version should I upgrade to? 5.5.x or 5.6.x or 5.7?
Separate upgrades to the minimum version of
Spring Securityare guaranteed to be compatible with existing versions of SpringBoot.单独升级
Spring Security到最小的无漏洞版本,同时要保证与SpringBoot的现有版本兼容。
按照报告来看,5.4.x貌似都有这个问题