When I read this CVE https://nvd.nist.gov/vuln/detail/CVE-2023-34034 it says that it affects spring security. And on spring official website they talk about this CVE that it affects spring security: https://spring.io/security/cve-2023-34034
I am not a developer, so I am not familiar with spring and its different projects, but I tried to search on maven online to see the spring security artifact but I got lot of results (see screenshot below)
Why I am doing so? because I want to know which component exeactly is affected by the CVE.
I was expecting to have a specific component that is affected by this CVE (eg: spring-security-core artifact) but there are lot of variations of spring security, and again I am not a developer and no idea what is the difference between each. Furthermore, if that is affecting spring security, does that mean that if I am usign spring boot or spring framework then I am not affected?
Simple answer, all of the artifacts are spring security.
Spring eco system is modular, meaning that you only pull in what is needed for your specific application.
The base package that is always needed for all applications that want to use spring security (always needed).
if you want to secure web related endpoints like REST, WebSockets etc.
if you want to be able to configure your security (is basically always needed)
says what it is contains crypto related functions algorithms, handling certificates etc. etc.
contains all the testing tools to be able to write unit tests and other types of tests for spring security.
Spring started out like a basic framework that handled dependency injection in servlet containers like tomcat, jetty etc.
So it was basically just a library. That you can use in your application and then you deploy your application into a server.
The spring created spring boot which took the framework and embedded a server into the package so you could get an entire application including a server in one lean package.
So before boot, only an application that needed to be deployed on a server.
With boot, you get the server packaged into your application basically.
Framework
are the fundamental packages that spring is based upon. For instance spring-framework-core
. Then they use that packaged and built spring boot
by including a server in the package (very simplified). Then if you want to have rest endpoints you include for instance spring-web
. And if you want security you include spring-security-core
and spring-security-core
and spring-security-web
.
Instead of pulling in packages manually spring created starters
for instance spring-security-starter
which will pull in the necessary dependencies for you.