Security Vulnerability CVE-2020-5421 in old springframework libs

[kebeda]

Play Version

2.8.2

API

Java

Operating System

Linux centos7 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

JDK

openjdk version "11.0.8" 2020-07-14
OpenJDK Runtime Environment 18.9 (build 11.0.8+10)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.8+10, mixed mode, sharing)

Library Dependencies

+-com.typesafe.play:filters-helpers_2.13:2.8.2
| +-com.typesafe.play:play_2.13:2.8.2
|   +-com.typesafe.play:play-streams_2.13:2.8.2
|   | +-**_com.typesafe.akka:akka-stream_2.13:2.6.5_**

+-com.typesafe.play:play-ahc-ws_2.13:2.8.2
| +-com.typesafe.play:play-ahc-ws-standalone_2.13:2.1.2
| | +-com.typesafe.play:play-ws-standalone_2.13:2.1.2
| | | +-**_com.typesafe.akka:akka-stream_2.13:2.6.1_**
| | 
| +-com.typesafe.play:play-ws_2.13:2.8.2
| | +-com.typesafe.play:play-ws-standalone-json_2.13:2.1.2
| | | +-com.typesafe.play:play-ws-standalone_2.13:2.1.2
| | |   +-**_com.typesafe.akka:akka-stream_2.13:2.6.1_**
| | | 
| | +-com.typesafe.play:play-ws-standalone-xml_2.13:2.1.2
| | | +-com.typesafe.play:play-ws-standalone_2.13:2.1.2
| | | | +-**_com.typesafe.akka:akka-stream_2.13:2.6.1_**
| | | 
| | +-com.typesafe.play:play-ws-standalone_2.13:2.1.2
| | | +-**_com.typesafe.akka:akka-stream_2.13:2.6.1_**
| | | 
| | +-com.typesafe.play:play_2.13:2.8.2
| |   +-com.typesafe.play:play-streams_2.13:2.8.2
| |   | +-**_com.typesafe.akka:akka-stream_2.13:2.6.5_**
:

Expected Behavior

I expect all versions of the dependencies to be the same across libraries, and they should not reference libraries with known CVE's, for example CVE-2020-5421 which is in any release older than:

1. "org.springframework" % "spring-beans" % "5.2.9.RELEASE"
2. "org.springframework" % "spring-context" % "5.2.9.RELEASE"
3. "org.springframework" % "spring-core" % "5.2.9.RELEASE"

Actual Behavior

You are using a mix of dependency versions across libraries that don't agree (for example, com.typesafe.play:play-streams_2.13:2.8.2 is using com.typesafe.akka:akka-stream_2.13:2.6.5, but com.typesafe.play:play-ws-standalone_2.13:2.1.2 is using com.typesafe.akka:akka-stream_2.13:2.6.1).
The transitive dependencies should be consistent across libraries.

The real issue here is the version of springframework being brought in here by some of the transitive dependencies
contains a security vulnerability that results in the build failing due to owasp-dependency-check failing on the CVE mentioned above.

Would it be possible to update all the transitive dependencies to springframework to version 5.2.9.RELEASE or above, and hopefully having them all agree?

Reproducible Test Case

Adding the following code:

dependencyOverrides ++= Seq(
  "org.springframework" % "spring-beans" % "5.2.9.RELEASE",
  "org.springframework" % "spring-context" % "5.2.9.RELEASE",
  "org.springframework" % "spring-core" % "5.2.9.RELEASE",
)

Will allow the build to complete and pass the owasp-dependency-check.

[raboof]

You are using a mix of dependency versions across libraries that don't agree (for example, com.typesafe.play:play-streams_2.13:2.8.2 is using com.typesafe.akka:akka-stream_2.13:2.6.5, but com.typesafe.play:play-ws-standalone_2.13:2.1.2 is using com.typesafe.akka:akka-stream_2.13:2.6.1).

Who is 'you' here? I looks like this is a comment directed at your project, not at playframework.

The real issue here is the version of springframework being brought in here by some of the transitive dependencies contains a security vulnerability that results in the build failing due to owasp-dependency-check failing on the CVE mentioned above

master has already been updated to 5.2.9.RELEASE in 92a442e, so Play 2.9.0 will have this change. I agree it would probably be good to backport this change to the 2.8.x tree.

Would you be interested in providing a PR?

[ignasi35]

I've triggered the backport on #10466 (review)