Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nacos能否在哪个版本修复下springsecurity漏洞(CVE-2024-22257) #11904

Closed
DeBruyne2020 opened this issue Apr 1, 2024 · 3 comments · Fixed by #11914
Closed

nacos能否在哪个版本修复下springsecurity漏洞(CVE-2024-22257) #11904

DeBruyne2020 opened this issue Apr 1, 2024 · 3 comments · Fixed by #11914
Labels
contribution welcome dependencies Pull requests that update a dependency file

Comments

@DeBruyne2020
Copy link

请问下老师们🙏:
nacos能否在哪个版本修复下springsecurity漏洞(CVE-2024-22257), 修复的方法是需要将springSecurity升级到5.7.12、 5.8.11、 6.0.10、6.1.8、6.2.3及以上版本。
@KomachiSion KomachiSion added the dependencies Pull requests that update a dependency file label Apr 1, 2024
@KomachiSion
Copy link
Collaborator

目前最新版本是5.7.11, spring boot应该已经是最新版本了, 如果spring boot的2.x已经不会再更新的话, 需要手动修改一下spring secutity版本。

@DeBruyne2020
Copy link
Author

DeBruyne2020 commented Apr 1, 2024
edited
Loading

目前最新版本是5.7.11, spring boot应该已经是最新版本了, 如果spring boot的2.x已经不会再更新的话, 需要手动修改一下spring secutity版本。

@KomachiSion 老师 ,那再请教一下, 如果直接把 nacos 2.3.0版本(或者2.3.1版本)里依赖的spring security包改成 5.7.12版本(修复了漏洞的版本), nacos能正常运行不收影响是吧 ?

@cxhello cxhello mentioned this issue Apr 1, 2024
Merged
5 tasks
cxhello added a commit to cxhello/nacos that referenced this issue Apr 2, 2024
@cxhello
fix: vulnerability
aa9e58a 
- CVE-2024-22257 Upgrade Spring Security to 5.7.12.
- Use spring-framework-bom as dependencyManagement.

Closes alibaba#11904
@cxhello cxhello mentioned this issue Apr 2, 2024
Merged
5 tasks
@KomachiSion
Copy link
Collaborator

目前最新版本是5.7.11, spring boot应该已经是最新版本了, 如果spring boot的2.x已经不会再更新的话, 需要手动修改一下spring secutity版本。

@KomachiSion 老师 ,那再请教一下, 如果直接把 nacos 2.3.0版本(或者2.3.1版本)里依赖的spring security包改成 5.7.12版本(修复了漏洞的版本), nacos能正常运行不收影响是吧 ?

理论上不影响,nacos在不开启prometheus sd协议的情况下,不强依赖security,但是具体要看spring security改了什么。

KomachiSion pushed a commit that referenced this issue Apr 8, 2024
@cxhello
fix: vulnerability (#11914)
d179e47 
- CVE-2024-22257 Upgrade Spring Security to 5.7.12.
- Use spring-framework-bom as dependencyManagement.

Closes #11904
cxhello added a commit to cxhello/nacos that referenced this issue Apr 19, 2024
@cxhello
fix: vulnerability - CVE-2024-22257 Upgrade Spring Security to 5.7.12…
2b2ba27 
…. - Use spring-framework-bom as dependencyManagement. Closes alibaba#11904
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contribution welcome dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: vulnerability cxhello/nacos
2 participants
@KomachiSion @DeBruyne2020