|
@@ -52,12 +52,72 @@
|
52
|
52
|
<type>pom</type>
|
53
|
53
|
<scope>import</scope>
|
54
|
54
|
</dependency>
|
|
55
|
+ <!--
|
|
56
|
+ Spring Boot 2.5.15的内置版本
|
|
57
|
+ <spring-security.version>5.5.8</spring-security.version>
|
|
58
|
+ 强制修改依赖版本为:5.7.12
|
|
59
|
+ 存在漏洞的JAR包:spring-security-core-5.5.8.jar
|
|
60
|
+ 漏洞说明:Spring Security存在安全漏洞,在处理Authentication参数时没有对null值进行检查。当应用程序直接使用AuthenticatedVoter#vote方法,传入null作为认证参数时会错误地返回true值。攻击者可利用该漏洞绕过身份验证,进行提权或窃取系统敏感信息。
|
|
61
|
+ 安全版本: Spring Security 5.7.12、5.8.11、6.0.10、6.1.8、6.2.3 及以上版本,下载地址:https://github.com/spring-projects/spring-security/releases
|
|
62
|
+ <spring-security.version>5.7.12</spring-security.version>
|
|
63
|
+
|
|
64
|
+ 注意:因为使用Maven管理依赖,MAVEN具有依赖传递的特性,实质上只需要引入spring-security-config依赖包含了spring-security-core依赖和spring-security-web依赖
|
|
65
|
+ -->
|
|
66
|
+ <!-- spring-security 漏洞升级 -->
|
|
67
|
+ <dependency>
|
|
68
|
+ <groupId>org.springframework.security</groupId>
|
|
69
|
+ <artifactId>spring-security-config</artifactId>
|
|
70
|
+ <version>5.7.12</version>
|
|
71
|
+ <scope>compile</scope>
|
|
72
|
+ </dependency>
|
|
73
|
+ <dependency>
|
|
74
|
+ <groupId>org.springframework.security</groupId>
|
|
75
|
+ <artifactId>spring-security-core</artifactId>
|
|
76
|
+ <version>5.7.12</version>
|
|
77
|
+ <scope>compile</scope>
|
|
78
|
+ </dependency>
|
|
79
|
+ <dependency>
|
|
80
|
+ <groupId>org.springframework.security</groupId>
|
|
81
|
+ <artifactId>spring-security-crypto</artifactId>
|
|
82
|
+ <version>5.7.12</version>
|
|
83
|
+ <scope>compile</scope>
|
|
84
|
+ </dependency>
|
|
85
|
+ <dependency>
|
|
86
|
+ <groupId>org.springframework.security</groupId>
|
|
87
|
+ <artifactId>spring-security-web</artifactId>
|
|
88
|
+ <version>5.7.12</version>
|
|
89
|
+ <scope>compile</scope>
|
|
90
|
+ </dependency>
|
|
91
|
+ <dependency>
|
|
92
|
+ <groupId>org.quartz-scheduler</groupId>
|
|
93
|
+ <artifactId>quartz</artifactId>
|
|
94
|
+ <version>2.4.0-rc2</version>
|
|
95
|
+ <exclusions>
|
|
96
|
+ <exclusion>
|
|
97
|
+ <groupId>com.mchange</groupId>
|
|
98
|
+ <artifactId>c3p0</artifactId>
|
|
99
|
+ </exclusion>
|
|
100
|
+ </exclusions>
|
|
101
|
+ </dependency>
|
55
|
102
|
|
56
|
103
|
<!-- 阿里数据库连接池 -->
|
57
|
104
|
<dependency>
|
58
|
105
|
<groupId>com.alibaba</groupId>
|
59
|
106
|
<artifactId>druid-spring-boot-starter</artifactId>
|
60
|
107
|
<version>${druid.version}</version>
|
|
108
|
+ <exclusions>
|
|
109
|
+ <exclusion>
|
|
110
|
+ <groupId>org.yaml</groupId>
|
|
111
|
+ <artifactId>snakeyaml</artifactId>
|
|
112
|
+ </exclusion>
|
|
113
|
+ </exclusions>
|
|
114
|
+ </dependency>
|
|
115
|
+ <!-- yml解析器 漏洞修复,安全版本2.0及以上:https://mvnrepository.com/artifact/org.yaml/snakeyaml-->
|
|
116
|
+ <!-- 漏洞升级 -->
|
|
117
|
+ <dependency>
|
|
118
|
+ <groupId>org.yaml</groupId>
|
|
119
|
+ <artifactId>snakeyaml</artifactId>
|
|
120
|
+ <version>2.0</version>
|
61
|
121
|
</dependency>
|
62
|
122
|
|
63
|
123
|
<!-- 解析客户端操作系统、浏览器等 -->
|