Browse Source

feat(初始化): 修复jar漏洞

matianxiang 5 months ago
parent
commit
20cb651b73
4 changed files with 60 additions and 6 deletions
  1. 0 3
      eitc-admin/pom.xml
  2. 0 1
      eitc-common/pom.xml
  3. 0 2
      eitc-framework/pom.xml
  4. 60 0
      pom.xml

+ 0 - 3
eitc-admin/pom.xml

@@ -47,21 +47,18 @@
47 47
         <dependency>
48 48
             <groupId>com.eitc</groupId>
49 49
             <artifactId>eitc-framework</artifactId>
50
-            <version>3.8.7</version>
51 50
         </dependency>
52 51
 
53 52
         <!-- 定时任务-->
54 53
         <dependency>
55 54
             <groupId>com.eitc</groupId>
56 55
             <artifactId>eitc-quartz</artifactId>
57
-            <version>3.8.7</version>
58 56
         </dependency>
59 57
 
60 58
         <!-- 代码生成-->
61 59
         <dependency>
62 60
             <groupId>com.eitc</groupId>
63 61
             <artifactId>eitc-generator</artifactId>
64
-            <version>3.8.7</version>
65 62
         </dependency>
66 63
 
67 64
     </dependencies>

+ 0 - 1
eitc-common/pom.xml

@@ -130,7 +130,6 @@
130 130
         <dependency>
131 131
             <groupId>com.baomidou</groupId>
132 132
             <artifactId>mybatis-plus-boot-starter</artifactId>
133
-            <version>3.5.1</version>
134 133
         </dependency>
135 134
 
136 135
         <!-- Minio 文件存储 -->

+ 0 - 2
eitc-framework/pom.xml

@@ -57,12 +57,10 @@
57 57
         <dependency>
58 58
             <groupId>com.eitc</groupId>
59 59
             <artifactId>eitc-common</artifactId>
60
-            <version>3.8.7</version>
61 60
         </dependency>
62 61
         <dependency>
63 62
             <groupId>com.eitc</groupId>
64 63
             <artifactId>eitc-system</artifactId>
65
-            <version>3.8.7</version>
66 64
         </dependency>
67 65
 
68 66
     </dependencies>

+ 60 - 0
pom.xml

@@ -52,12 +52,72 @@
52 52
                 <type>pom</type>
53 53
                 <scope>import</scope>
54 54
             </dependency>
55
+            <!--
56
+            Spring Boot 2.5.15的内置版本
57
+            <spring-security.version>5.5.8</spring-security.version>
58
+            强制修改依赖版本为:5.7.12
59
+            存在漏洞的JAR包:spring-security-core-5.5.8.jar
60
+            漏洞说明:Spring Security存在安全漏洞,在处理Authentication参数时没有对null值进行检查。当应用程序直接使用AuthenticatedVoter#vote方法,传入null作为认证参数时会错误地返回true值。攻击者可利用该漏洞绕过身份验证,进行提权或窃取系统敏感信息。
61
+            安全版本: Spring Security  5.7.12、5.8.11、6.0.10、6.1.8、6.2.3 及以上版本,下载地址:https://github.com/spring-projects/spring-security/releases
62
+            <spring-security.version>5.7.12</spring-security.version>
63
+
64
+            注意:因为使用Maven管理依赖,MAVEN具有依赖传递的特性,实质上只需要引入spring-security-config依赖包含了spring-security-core依赖和spring-security-web依赖
65
+            -->
66
+            <!-- spring-security 漏洞升级 -->
67
+            <dependency>
68
+                <groupId>org.springframework.security</groupId>
69
+                <artifactId>spring-security-config</artifactId>
70
+                <version>5.7.12</version>
71
+                <scope>compile</scope>
72
+            </dependency>
73
+            <dependency>
74
+                <groupId>org.springframework.security</groupId>
75
+                <artifactId>spring-security-core</artifactId>
76
+                <version>5.7.12</version>
77
+                <scope>compile</scope>
78
+            </dependency>
79
+            <dependency>
80
+                <groupId>org.springframework.security</groupId>
81
+                <artifactId>spring-security-crypto</artifactId>
82
+                <version>5.7.12</version>
83
+                <scope>compile</scope>
84
+            </dependency>
85
+            <dependency>
86
+                <groupId>org.springframework.security</groupId>
87
+                <artifactId>spring-security-web</artifactId>
88
+                <version>5.7.12</version>
89
+                <scope>compile</scope>
90
+            </dependency>
91
+            <dependency>
92
+                <groupId>org.quartz-scheduler</groupId>
93
+                <artifactId>quartz</artifactId>
94
+                <version>2.4.0-rc2</version>
95
+                <exclusions>
96
+                    <exclusion>
97
+                        <groupId>com.mchange</groupId>
98
+                        <artifactId>c3p0</artifactId>
99
+                    </exclusion>
100
+                </exclusions>
101
+            </dependency>
55 102
 
56 103
             <!-- 阿里数据库连接池 -->
57 104
             <dependency>
58 105
                 <groupId>com.alibaba</groupId>
59 106
                 <artifactId>druid-spring-boot-starter</artifactId>
60 107
                 <version>${druid.version}</version>
108
+                <exclusions>
109
+                    <exclusion>
110
+                        <groupId>org.yaml</groupId>
111
+                        <artifactId>snakeyaml</artifactId>
112
+                    </exclusion>
113
+                </exclusions>
114
+            </dependency>
115
+            <!-- yml解析器 漏洞修复,安全版本2.0及以上:https://mvnrepository.com/artifact/org.yaml/snakeyaml-->
116
+            <!-- 漏洞升级 -->
117
+            <dependency>
118
+                <groupId>org.yaml</groupId>
119
+                <artifactId>snakeyaml</artifactId>
120
+                <version>2.0</version>
61 121
             </dependency>
62 122
 
63 123
             <!-- 解析客户端操作系统、浏览器等 -->