How to resolve CVE-2023-2976 vulnerability in Maven dependency com.google.guava:guava:31.1-jre with Spring Security 6.2.1?

Question

I recently encountered a vulnerability in my Maven project while adding a dependency to my pom.xml. The vulnerability is reported as CVE-2023-2976 with a severity level of High, indicating a "Files or Directories Accessible to External Parties" vulnerability. The problematic dependency is com.google.guava:guava:31.1-jre.

Here are the specifics of my project setup:

• Spring Boot version: 3.2.2
• Spring Security version: 6.2.1

I attempted to mitigate the vulnerability by excluding the problematic dependency as follows:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-saml2-service-provider</artifactId>
    <exclusions>
        <exclusion>
            <groupId>org.opensaml</groupId>
            <artifactId>opensaml-core</artifactId>
        </exclusion>
    </exclusions>
</dependency>

but the problem still exist

Answer 1

You can always override the dependency by specifying the version to be greater than 32.0.1. The issue was fixed in it

Add the dependency in your pom.xml

<dependency>
    <groupId>com.google.guava</groupId>
    <artifactId>guava</artifactId>
    <version>32.1.0-jre</version>
</dependency>

The dependency you are excluding may or may not be bringing in guava.

you can generate the full dependency tree to find which dependeny is bringing in guava using

mvn dependency:tree

And exclude that in case its not needed or used by the project