Dependencycheck: False Positive on spring-security-saml2-core - CVE-2018-1258

Created on 25 Mar 2020 · 12Comments · Source: jeremylong/DependencyCheck

Location of the dependency: https://mvnrepository.com/artifact/org.springframework.security.extensions/spring-security-saml2-core

I'm using version 1.0.0RC2

False positive: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1258

org.springframework
spring-core
4.3.20.RELEASE

org.springframework.security.extensions
spring-security-saml2-core
1.0.0.RC2

According to https://pivotal.io/security/cve-2018-1258:
"Users leveraging Spring Framework 4.x (Spring Security 4.x or Spring Boot 1.x) are not impacted so no steps are necessary."

FP Report

Source

morerajuan

Most helpful comment

Although my observation doesn't directly relate to spring-security-saml2-core, but it relates to CVE-2018-1258 false positive.

Latest "Spring Boot (2.3.0)" which under the hood utilizes "Spring Security 5.3.2" shows false positive (the issue states it is only related to 5.0.5):

spring-security-oauth2-resource-server-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal:spring_security_oauth:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-oauth2-jose-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal:spring_security_oauth:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-web-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-oauth2-core-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal:spring_security_oauth:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-config-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-core-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-crypto-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258

skryvets on 21 May 2020

👍3

All 12 comments

Although my observation doesn't directly relate to spring-security-saml2-core, but it relates to CVE-2018-1258 false positive.

Latest "Spring Boot (2.3.0)" which under the hood utilizes "Spring Security 5.3.2" shows false positive (the issue states it is only related to 5.0.5):

spring-security-oauth2-resource-server-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal:spring_security_oauth:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-oauth2-jose-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal:spring_security_oauth:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-web-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-oauth2-core-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal:spring_security_oauth:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-config-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-core-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258
spring-security-crypto-5.3.2.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.2:*:*:*:*:*:*:*) : CVE-2018-1258

skryvets on 21 May 2020

👍3

This false positive is due to this general problem:
https://github.com/jeremylong/DependencyCheck/issues/1827 False Positive due to missing "AND/OR" capabilities defined in the NVD data feed

MichaelVetter on 2 Jul 2020

I am using spring-security-core-5.3.3.RELEASE.jar and spring-security-ldap-5.3.3.RELEASE.jar and getting high severity for CVE-2018-1258.

ankurja on 3 Sep 2020

Not seeing this using 6.0.2.

jeremylong on 5 Oct 2020

Which version of spring-security-core are you running? I am still experiencing false positive. Running: depcheck 6.0.2 and spring-security-core 5.4.1

As multiple users still experience false positive I think this issue should be reopened @jeremylong

Mvbraathen on 15 Oct 2020

👍2

Same here. using 6.0.2 and still seeing CVE-2018-1258 for spring-security-ldap-5.3.3.RELEASE.jar and spring-security-core-5.3.3.RELEASE.jar. This seems related to #1827.

ankurja on 15 Oct 2020

we too got the vulnerability reported in dependency-check 6.0.2 and spring-security 5.4.1

udayshnk on 20 Oct 2020

I am using the current versions of spring security which at the moment are:
[email protected]
[email protected]
[email protected]
And I get the same vulnerability:
CVE-2018-1258
At the moment the solution is just to create a rule?

ricardoseb on 21 Oct 2020

Using Spring Boot 2.3.5.RELEASE which brings in Spring Security 5.3.5.RELEASE, also failing the build on CVE-2018-1258

spring-security-core-5.3.5.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.5:release:*:*:*:*:*:*) : CVE-2018-1258
spring-security-oauth2-client-5.3.5.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal:spring_security_oauth:5.3.5:release:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:5.3.5:release:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:5.3.5:release:*:*:*:*:*:*) : CVE-2018-1258
spring-security-oauth2-core-5.3.5.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal:spring_security_oauth:5.3.5:release:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security:5.3.5:release:*:*:*:*:*:*, cpe:2.3:a:pivotal_software:spring_security_oauth:5.3.5:release:*:*:*:*:*:*) : CVE-2018-1258
spring-security-web-5.3.5.RELEASE.jar (pkg:maven/org.springframework.security/[email protected], cpe:2.3:a:pivotal_software:spring_security:5.3.5:release:*:*:*:*:*:*) : CVE-2018-1258

gsson on 10 Nov 2020

Having the following dependency:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot</artifactId>
    <version>2.3.5.RELEASE</version>
</dependency>

Running dependency-check maven 6.0.3 gives the following output from the HTML report):

Scan Information (show all):
dependency-check version: 6.0.3
Report Generated On: Wed, 11 Nov 2020 08:13:37 -0500
Dependencies Scanned: 8 (3 unique)
Vulnerable Dependencies: 0
Vulnerabilities Found: 0
Vulnerabilities Suppressed: 0

jeremylong on 11 Nov 2020

Hmm, I think the security dependencies are optional, noticed I've also got an explicit dependency on org.springframework.security:spring-security-oauth2-client in my build.gradle (version managed by Spring etc, this is all "old-ish" code, just trying to clean out my suppression file)

gsson on 11 Nov 2020

Also - see #2952

jeremylong on 11 Nov 2020

👍1

Was this page helpful?

0 / 5 - 0 ratings