Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Upgrade Spring Security

Description

noted that there are open CVEs for Spring Security, which AFAIK have not been addressed at all, even by moving to the latest micro version of what we’re currently using (3.2.x).

We need to look into upgrading as far as we can. It appears that we should be able to at least move to Spring Security 4.2.x without much trouble. It has only a few direct vulnerabilities that can hopefully be mitigated with backports.

Maven Repository: org.springframework.security » spring-security-core » 4.2.20.RELEASE (mvnrepository.com)

Acceptance / Success Criteria

None

Linked issue cannot finish until this issue finishes.

Activity

Show:

chiuen (Qun) June 22, 2023 at 8:46 PM

Infosec evaluated at the following risk:

CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:U/CR:H/IR:H/AR:H/MAV:A/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

CVSS Score: 7.0 x medium likelihood .8 = 5.6 medium

Dino Yancey March 27, 2023 at 5:02 PM

2022.1.13

Fixed

Details

Assignee

Reporter

Labels

Sprint

Fix versions

Affects versions

Priority

Parent

PagerDuty

Created March 14, 2023 at 2:17 PM
Updated March 6, 2024 at 9:15 PM
Resolved May 12, 2023 at 2:06 PM