1

I am trying to build a spring security with basic authentication.

I use

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity5</artifactId>
</dependency>

dependencies in maven.

When I load the dependencies, Intellij highlights the spring-boot-starter-security dependency in the pom file. Intellij explains the warning as follows:

Provides transitive vulnerable dependency org.springframework.security:spring-security-core:5.6.2

Why does this occur? Is this a big deal? Should I ignore it?

ha_look
  • 19
  • 1
  • 3
  • It's telling you about a vulnerability in a library. It's up to you to decide how that might affect you. – Kayaman Jun 07 '22 at 11:07
  • 1
    You must read this: https://tanzu.vmware.com/security/cve-2022-22976. It contains the detail of the CVE. Then determine yourself if you are affected by it or not, and choose to, for example, upgrade the library. – pringi Jun 07 '22 at 11:16
  • As far as I understood from the link that you have sent @pringi , BCrypt hashes the password with a **work factor** which mustn't be too high. For example password hashes indicating a **work factor** of 31 -- encrypted passwords starting with '{bcrypt}$2a$31', '{bcrypt}$2b$31', '{bcrypt}$2y$31', '{bcrypt}$2$31', '$2a$31', '$2b$31', '$2y$31', or '$2$31' -- will take 2-3 days to complete each hash computation. I've checked my encrypted passwords in my database and they always start with '{bcrypt}$2a$10' which I think is the default **work factor**. So, for my case there is no problem. Thanks! – ha_look Jun 08 '22 at 13:07

0 Answers0