Dependency org.springframework.security:spring-security-core, leading to CVE problem

[CVEDetect]

Hi, In /，there is a dependency org.springframework.security:spring-security-core:5.2.1.RELEASE that calls the risk method.

CVE-2020-5408

The scope of this CVE affected version is [5.3.0.RELEASE, 5.3.2.RELEASE),[5.2.0.RELEASE, 5.2.4.RELEASE),[5.1.0.RELEASE, 5.1.10.RELEASE),[5.0.0.RELEASE, 5.0.16.RELEASE),[4.2.0.RELEASE, 4.2.16.RELEASE)

After further analysis, in this project, the main Api called is org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder: encode(java.lang.CharSequence)Ljava.lang.String;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

CVE Bug Invocation Path : 
com.sap.charging.server.security.CustomFilter: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse,javax.servlet.FilterChain)V /.m2/repository/org/springframework/boot/spring-boot-actuator-autoconfigure/2.2.1.RELEASE/spring-boot-actuator-autoconfigure-2.2.1.RELEASE.jar
org.springframework.security.web.FilterChainProxy$VirtualFilterChain: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse)V /.m2/repository/org/springframework/security/spring-security-core/5.2.1.RELEASE/spring-security-core-5.2.1.RELEASE.jar
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse,javax.servlet.FilterChain)V /.m2/repository/org/springframework/security/spring-security-core/5.2.1.RELEASE/spring-security-core-5.2.1.RELEASE.jar
org.springframework.security.authentication.ProviderManager: authenticate(org.springframework.security.core.Authentication)Lorg.springframework.security.core.Authentication; /.m2/repository/org/springframework/security/spring-security-core/5.2.1.RELEASE/spring-security-core-5.2.1.RELEASE.jar
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider: authenticate(org.springframework.security.core.Authentication)Lorg.springframework.security.core.Authentication; /.m2/repository/org/springframework/security/spring-security-core/5.2.1.RELEASE/spring-security-core-5.2.1.RELEASE.jar
org.springframework.security.authentication.dao.DaoAuthenticationProvider: createSuccessAuthentication(java.lang.Object,org.springframework.security.core.Authentication,org.springframework.security.core.userdetails.UserDetails)Lorg.springframework.security.core.Authentication; /.m2/repository/org/springframework/security/spring-security-core/5.2.1.RELEASE/spring-security-core-5.2.1.RELEASE.jar
org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder: encode(java.lang.CharSequence)Ljava.lang.String;

Dependency tree--

[INFO] com.sap.charging:emobility-smart-charging:jar:0.0.1-SNAPSHOT
[INFO] +- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] |  \- junit:junit:jar:4.12:compile
[INFO] |     \- org.hamcrest:hamcrest-core:jar:2.1:compile
[INFO] +- org.apache.commons:commons-collections4:jar:4.1:compile
[INFO] +- org.rosuda.REngine:REngine:jar:2.1.0:compile
[INFO] +- org.rosuda.REngine:Rserve:jar:1.8.1:compile
[INFO] +- joda-time:joda-time:jar:2.10.6:compile
[INFO] +- org.springframework.boot:spring-boot-devtools:jar:2.2.1.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.2.1.RELEASE:compile
[INFO] |  \- org.springframework.boot:spring-boot-autoconfigure:jar:2.2.1.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter:jar:2.2.1.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.2.1.RELEASE:compile
[INFO] |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.16.0:compile
[INFO] |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.16.0:compile
[INFO] |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.29:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  +- org.springframework:spring-core:jar:5.2.1.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.2.1.RELEASE:compile
[INFO] |  \- org.yaml:snakeyaml:jar:1.25:runtime
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.2.1.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.2.1.RELEASE:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.10.0:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.10.0:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.10.0:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.10.0:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.10.0:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-validation:jar:2.2.1.RELEASE:compile
[INFO] |  |  \- jakarta.validation:jakarta.validation-api:jar:2.0.1:compile
[INFO] |  +- org.springframework:spring-web:jar:5.2.1.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.2.1.RELEASE:compile
[INFO] +- org.hibernate.validator:hibernate-validator:jar:6.0.13.Final:compile
[INFO] |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] |  +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile
[INFO] |  \- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:2.2.1.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.2.1.RELEASE:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-actuator:jar:2.2.1.RELEASE:compile
[INFO] |  \- io.micrometer:micrometer-core:jar:1.3.1:compile
[INFO] |     +- org.hdrhistogram:HdrHistogram:jar:2.1.11:compile
[INFO] |     \- org.latencyutils:LatencyUtils:jar:2.0.3:compile
[INFO] +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.2.1.RELEASE:compile
[INFO] |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.27:compile
[INFO] |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.27:compile
[INFO] |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.27:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.2.1.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.2.1.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.2.1.RELEASE:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.3:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:1.2:test
[INFO] |  |        \- org.ow2.asm:asm:jar:5.0.4:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:test
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.1:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.5.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.5.2:test
[INFO] |  |  |  +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO] |  |  |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |  |  \- org.junit.platform:junit-platform-commons:jar:1.5.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.5.2:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.5.2:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.5.2:test
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:3.1.0:test
[INFO] |  +- org.assertj:assertj-core:jar:3.13.2:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.1:compile
[INFO] |  +- org.mockito:mockito-core:jar:3.1.0:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.10.2:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.10.2:test
[INFO] |  |  \- org.objenesis:objenesis:jar:2.6:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-test:jar:5.2.1.RELEASE:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.6.3:test
[INFO] +- org.springframework.security:spring-security-web:jar:5.2.1.RELEASE:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:5.2.1.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.2.1.RELEASE:compile
[INFO] |  +- org.springframework:spring-beans:jar:5.2.1.RELEASE:compile
[INFO] |  +- org.springframework:spring-context:jar:5.2.1.RELEASE:compile
[INFO] |  \- org.springframework:spring-expression:jar:5.2.1.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:5.2.1.RELEASE:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.8.0:compile
[INFO] |  +- io.swagger:swagger-annotations:jar:1.5.14:compile
[INFO] |  +- io.swagger:swagger-models:jar:1.5.14:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.0:compile
[INFO] |  +- io.springfox:springfox-spi:jar:2.8.0:compile
[INFO] |  |  \- io.springfox:springfox-core:jar:2.8.0:compile
[INFO] |  +- io.springfox:springfox-schema:jar:2.8.0:compile
[INFO] |  +- io.springfox:springfox-swagger-common:jar:2.8.0:compile
[INFO] |  +- io.springfox:springfox-spring-web:jar:2.8.0:compile
[INFO] |  |  \- org.reflections:reflections:jar:0.9.11:compile
[INFO] |  |     \- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  +- com.google.guava:guava:jar:20.0:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.29:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] |  \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.8.0:compile
[INFO] +- io.springfox:springfox-bean-validators:jar:2.8.0:compile
[INFO] \- javax.xml.bind:jaxb-api:jar:2.1:compile
[INFO]    +- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO]    \- javax.activation:activation:jar:1.1:compile

Suggested solutions:

Update dependency version

Thank you very much.