spring-boot-dependencies 2.7.9 has multiple Vulnerabilities

[gauravdeshmukh612]

As per maven repository

Vulnerabilities from dependencies:
CVE-2023-25194
CVE-2022-45868
CVE-2022-4492
CVE-2022-41854
CVE-2022-41853
CVE-2022-38752
CVE-2022-38751
CVE-2022-38750
CVE-2022-38749
CVE-2022-35278
CVE-2022-25857
CVE-2022-1471

Link : https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies/2.7.9

Screenshot

[wilkinsona]

Unfortunately, in our experience automated security scans are of limited value as they generate an overwhelming number of false positives. Most importantly in this case, spring-boot-dependencies does not have any dependencies. It only provides dependency management, controlling the versions of dependencies that you have added to your application. As such, unless you have added a dependency that's referenced in one of the CVEs, your application cannot be at risk.

Beyond this, the security scanning is a really blunt instrument and without further analysis of its findings in the context of your application, the output is of little use. Let's look at a few of the CVEs reported with this in mind:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194. As I understand it, this is a server-side Kafka vulnerability. Kafka clients are not affected. See Upgrade to Kafka 3.4.0 #34284 (comment) for some existing discussion.
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25194. This only applies if you've started the H2 console on the command line using the -webAdminPassword option. Spring Boot will never do that.
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4492. There's very little information in this CVE but it appears to be a problem that's specific to Undertow's HTTP client which Spring Boot does not use.
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41854. This vulnerability only applies if you're passing untrusted input to SnakeYAML. Spring Boot does not do this. See CVE-2022-25857 - Upgrade to SnakeYAML 1.31 #32221 for further details.

Having looked at the first 4 CVEs, we have a 100% false-positive rate and there's nothing we can do in Spring Boot to address them. Automated scanning tools generate so many false positives that we simply don't have time to document them and explain why they are false positives or how and when a particular application may be vulnerable. The latter requires knowledge of the application which we simply don't have.

Please rest assured that we do take security seriously. We regularly update our dependencies on other Spring projects and third-party libraries to keep up-to-date. Vulnerabilities in Spring projects are listed on the Spring Security Advisories page which I would encourage you to keep an eye on. On the rare occasion where there has been a vulnerability found in a Spring project, we coordinate with that project to update Spring Boot as soon as a release that addresses the vulnerability is available. Typically the release announcement (on https://spring.io/blog) will mention when a release addresses a vulnerability.