Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

backport fixes from Spring Security 5.x to custom Spring Security 4.2.20.RELEASE

Description

Once we’ve finished getting foundation-2020 and up pushed to spring security 4.2, we should look at any CVE-related fixes that could be backported to spring security 4.2 like we’ve done for spring.

(We can’t move to a newer spring security until we update our core to Spring 5.)

Acceptance / Success Criteria

None

Cannot finish until linked issue is finished.

Activity

Show:

Benjamin Reed July 19, 2023 at 2:10 PM

merged to foundation-2020

chiuen (Qun) June 23, 2023 at 3:59 PM

Infosec evaluated at the following risk:

CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:U/CR:H/IR:H/AR:H/MAV:A/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

CVSS Score: 7.0 x medium likelihood 0.8 = 5.6 medium

CVSS score is based on existing CVEs in Spring Security 5.x

chiuen (Qun) June 23, 2023 at 3:53 PM

These CVEs are probably related to Spring Security 4.2.20 ~ 5.x:

Fixed

Details

Assignee

Reporter

Labels

Sprint

Fix versions

Priority

PagerDuty

Created May 10, 2023 at 3:44 PM
Updated March 6, 2024 at 9:16 PM
Resolved July 19, 2023 at 2:10 PM