Skip to content

Commit 8daf3f3

Browse files
committed
#345 Fix Trivy CRITICAL findings by upgrading vulnerable spring-security, thymeleaf and bouncycastle jars
1 parent a046bf9 commit 8daf3f3

4 files changed

Lines changed: 33 additions & 1 deletion

File tree

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
88
## [Unreleased]
99
### Fixed
1010
- [#345] Fixed a regression of [#163] where password-reset mails were silently dropped for e-mail addresses without a real TLD (e.g. `admin@ces.local`), because the CES password-management service was no longer registered after the CAS 7 / Spring Boot 3 upgrade.
11+
- [#345] Fixed Trivy CRITICAL findings by upgrading vulnerable transitive dependencies bundled in the base CAS webapp WAR:
12+
- [CVE-2026-22732](https://nvd.nist.gov/vuln/detail/CVE-2026-22732) – spring-security 6.5.5 → 6.5.9
13+
- [CVE-2026-40477](https://nvd.nist.gov/vuln/detail/CVE-2026-40477) / [CVE-2026-40478](https://nvd.nist.gov/vuln/detail/CVE-2026-40478) / [CVE-2026-41901](https://nvd.nist.gov/vuln/detail/CVE-2026-41901) – thymeleaf and thymeleaf-spring6 3.1.3.RELEASE → 3.1.5.RELEASE
14+
- [CVE-2025-14813](https://nvd.nist.gov/vuln/detail/CVE-2025-14813) – bouncycastle bcprov/bcpkix/bcutil-jdk18on 1.82 → 1.84
1115

1216
## [v7.3.7-2] - 2026-07-02
1317
### Added

app/build.gradle

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,6 +81,10 @@ configurations.configureEach {
8181
cacheChangingModulesFor 0, "seconds"
8282
cacheDynamicVersionsFor 0, "seconds"
8383
preferProjectModules()
84+
// CVE-2025-14813: forced because the CAS BOM (enforcedPlatform) pins 1.82.
85+
force "org.bouncycastle:bcprov-jdk18on:1.84"
86+
force "org.bouncycastle:bcpkix-jdk18on:1.84"
87+
force "org.bouncycastle:bcutil-jdk18on:1.84"
8488
def failIfConflict = project.hasProperty("failOnVersionConflict") && Boolean.valueOf(project.getProperty("failOnVersionConflict"))
8589
if (failIfConflict) {
8690
failOnVersionConflict()
@@ -221,6 +225,10 @@ dependencies {
221225
implementation "org.apereo.cas:cas-server-support-gauth-core-mfa:${project.'cas.version'}"
222226
implementation "org.apereo.cas:cas-server-support-otp-mfa-core:${project.'cas.version'}"
223227
implementation "org.apereo.cas:cas-server-core-notifications:${project.'cas.version'}"
228+
229+
// Patched thymeleaf (3.1.5.RELEASE via thymeleaf.version) onto the classpath; see gradle.properties.
230+
implementation "org.thymeleaf:thymeleaf"
231+
implementation "org.thymeleaf:thymeleaf-spring6"
224232
}
225233

226234
configurations.all {

app/gradle.properties

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,12 @@ tomcatVersion=11.0.22
1313

1414
commons-lang3.version=3.19.0
1515

16+
# Trivy CRITICAL fixes; old copies in the base CAS WAR are excluded in springboot.gradle.
17+
# CVE-2026-22732
18+
spring-security.version=6.5.9
19+
# CVE-2026-40477 / CVE-2026-40478 / CVE-2026-41901
20+
thymeleaf.version=3.1.5.RELEASE
21+
1622
# Use -jetty, -undertow to other containers
1723
# Or blank if you want to deploy to an external container
1824
appServer=-tomcat

app/gradle/springboot.gradle

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,21 @@ bootWar {
123123
"WEB-INF/lib/servlet-api-6*.jar",
124124
"WEB-INF/lib/jakarta.servlet-api-*.jar",
125125
"WEB-INF/lib/tomcat-servlet-api-*.jar",
126-
"WEB-INF/lib/jaxws-rt-*.jar"
126+
"WEB-INF/lib/jaxws-rt-*.jar",
127+
// Trivy CRITICAL fixes: drop the base WAR's vulnerable jars, keeping the patched
128+
// versions from this overlay's classpath (see gradle.properties / build.gradle).
129+
// CVE-2026-22732
130+
"WEB-INF/lib/spring-security-config-*.jar",
131+
"WEB-INF/lib/spring-security-core-*.jar",
132+
"WEB-INF/lib/spring-security-crypto-*.jar",
133+
"WEB-INF/lib/spring-security-web-*.jar",
134+
// CVE-2026-40477/40478/41901
135+
"WEB-INF/lib/thymeleaf-3*.jar",
136+
"WEB-INF/lib/thymeleaf-spring6-*.jar",
137+
// CVE-2025-14813
138+
"WEB-INF/lib/bcprov-jdk18on-*.jar",
139+
"WEB-INF/lib/bcpkix-jdk18on-*.jar",
140+
"WEB-INF/lib/bcutil-jdk18on-*.jar"
127141
]
128142
}
129143
}

0 commit comments

Comments
 (0)