Fix transitive CVE vulnerabilities in dependency tree - AST-142710#339
Open
cx-anand-nandeshwar wants to merge 7 commits into
Open
Fix transitive CVE vulnerabilities in dependency tree - AST-142710#339cx-anand-nandeshwar wants to merge 7 commits into
cx-anand-nandeshwar wants to merge 7 commits into
Conversation
|
Fixed Issues (2)Great job! The following issues were fixed in this Pull Request
|
Addresses three CVEs introduced via TeamCity transitive dependencies: 1. spring-security-web (CVE-2026-22732) - Affected: spring-security-web <= 6.5.8; HTTP response headers not written - Fix: pin springSecurity.version=6.5.9 in dependencyManagement - Exclude EOL spring-security-oauth2 from server-api, server-web-api, tests-support to sever the transitive pull chain at source 2. jackson-core async-parser DoS - Affected: jackson-core < 2.19.1; async parser bypasses maxNumberLength constraint, enabling unbounded memory/CPU usage (DoS) - Fix: pin jackson.version=2.21.1 for all jackson-* artifacts in dependencyManagement; exclude common-jackson (TeamCity internal bundle) from server-api, server-web-api, tests-support to cut the chain web-openapi -> common-jackson -> jackson-datatype-jdk8 -> jackson-core 3. commons-lang3 uncontrolled recursion (StackOverflowError DoS) - Affected: commons-lang3 3.0-3.17.0; ClassUtils.getClass() recurses unboundedly on crafted long inputs - commons-text 1.13.1 declared commons-lang3 @ 3.17.0 in its own POM, causing scanners to flag the path even with a managed-version override - Fix: upgrade commons-text to 1.15.0 (natively declares commons-lang3 3.20.0); pin commons-lang3.version=3.20.0 and commons-text.version=1.15.0 in dependencyManagement so no transitive path can reintroduce an older version; align common module direct declaration to use the property Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
cx-anand-nandeshwar
changed the title
Addresses three CVEs introduced via TeamCity transitive dependencies: 1. spring-security-web (CVE-2026-22732) - Affected: spring-security-web <= 6.5.8; HTTP response headers not written - Fix: pin springSecurity.version=6.5.9 in dependencyManagement - Exclude EOL spring-security-oauth2 from server-api, server-web-api, tests-support to sever the transitive pull chain at source 2. jackson-core async-parser DoS - Affected: jackson-core < 2.19.1; async parser bypasses maxNumberLength constraint, enabling unbounded memory/CPU usage (DoS) - Fix: pin jackson.version=2.21.1 for all jackson-* artifacts in dependencyManagement; exclude common-jackson (TeamCity internal bundle) from server-api, server-web-api, tests-support to cut the chain web-openapi -> common-jackson -> jackson-datatype-jdk8 -> jackson-core 3. commons-lang3 uncontrolled recursion (StackOverflowError DoS) - Affected: commons-lang3 3.0-3.17.0; ClassUtils.getClass() recurses unboundedly on crafted long inputs - commons-text 1.13.1 declared commons-lang3 @ 3.17.0 in its own POM, causing scanners to flag the path even with a managed-version override - Fix: upgrade commons-text to 1.15.0 (natively declares commons-lang3 3.20.0); pin commons-lang3.version=3.20.0 and commons-text.version=1.15.0 in dependencyManagement so no transitive path can reintroduce an older version; align common module direct declaration to use the property
…T-142710' into vulnerability/spring_security_AST-142710
The integration-tests job was failing at the Checkout step with: fatal: could not read Username for 'https://github.com': terminal prompts disabled Root cause: actions/checkout was configured with token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} When the PAT secret is absent or expired the token resolves to an empty string, causing git to prompt for HTTPS credentials which are disabled on hosted runners. Fix: use || github.token as a fallback so the runner-injected GITHUB_TOKEN is used whenever PERSONAL_ACCESS_TOKEN is unavailable. github.token always has Contents:write for same-org PRs and never expires, making the checkout reliable regardless of PAT lifecycle. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous CVE fix set jackson.version=2.21.1 which does not exist on Maven Central, causing the CI build to fail with: Could not find artifact jackson-annotations:jar:2.21.1 2.21.2 is the actual latest stable release. Updated the property and its comment to reflect the correct version. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove jackson version pins from dependencyManagement (jackson-annotations does not publish at the same version as jackson-core, causing artifact-not-found failures). Instead, exclude common-jackson from agent-api and tests-support in both the root dependencyManagement and agent/pom.xml, eliminating jackson from the agent module's dependency graph entirely. Also add common-jackson exclusion to tests-support in root dependencyManagement to close the same gap there. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes three transitive CVE vulnerabilities introduced through TeamCity SDK dependencies (
server-api,web-openapi,common-jackson,common-spring-security). All fixes follow a defense-in-depth approach: version pinning independencyManagement(forces the safe resolved version) plus exclusions at every TeamCity entry point (removes the vulnerable path from the declared artifact graph so scanners that walk POM metadata also see a clean tree).CVE 1 —
spring-security-webHTTP security-header bypass (CVE-2026-22732)https://checkmarx.atlassian.net/browse/AST-142710
server-api→web-openapi→common-spring-security→spring-security-oauth2→spring-security-web @ 6.3.5spring-security-web≤ 6.5.8 and 7.x ≤ 7.0.3springSecurity.version = 6.5.9; exclude EOLspring-security-oauth2fromserver-api,server-web-api,tests-supportCVE 2 —
jackson-coreasync parser DoShttps://checkmarx.atlassian.net/browse/AST-140246
server-api→web-openapi→common-jackson→jackson-datatype-jdk8→jackson-core @ 2.19.0maxNumberLength→ unbounded memory/CPU → DoSjackson-core< 2.18.6 / < 2.19.1 / < 3.1.0jackson.version = 2.21.1pinned for alljackson-*artifacts independencyManagement; excludecommon-jacksonfromserver-api,server-web-api,tests-supportCVE 3 —
commons-lang3uncontrolled recursion DoSserver-api→commons-text @ 1.13.1→commons-lang3 @ 3.17.0ClassUtils.getClass()recurses unboundedly on crafted long inputs →StackOverflowError→ application crash (DoS)commons-lang33.0 – 3.17.0commons-text→1.15.0(natively declarescommons-lang3 @ 3.20.0, removing the vulnerable path from the artifact's own POM metadata); pincommons-lang3.version = 3.20.0independently independencyManagementFiles changed
pom.xmljackson.version,commons-lang3.version,commons-text.versionproperties; pinned alljackson-*,commons-text,commons-lang3independencyManagement; addedcommon-jackson+spring-security-oauth2exclusions to managedserver-apicheckmarx-ast-teamcity-plugin-server/pom.xmlspring-security-oauth2+common-jacksonexclusions toserver-api,server-web-api, andtests-supportdirect declarationscheckmarx-ast-teamcity-plugin-common/pom.xmlcommons-lang3direct declaration to use${commons-lang3.version}property instead of a hardcoded versionTest plan
mvn dependency:treeand confirm nospring-security-web,jackson-core, orcommons-lang3below the fix versions appear in the resolved treemvn clean package— build must succeed with no compilation errors