Fix transitive CVE vulnerabilities in dependency tree - AST-142710

checkmarx-ast-teamcity-plugin-common/pom.xml

@@ -23,10 +23,11 @@
             </exclusions>
         </dependency>
 
+        <!-- Version governed by commons-lang3.version in root POM (CVE fix: 3.18.0) -->
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.18.0</version>
+            <version>${commons-lang3.version}</version>
         </dependency>
 
         <!-- Test Dependencies -->

checkmarx-ast-teamcity-plugin-server/pom.xml

@@ -26,6 +26,19 @@
           <groupId>commons-httpclient</groupId>
           <artifactId>commons-httpclient</artifactId>
         </exclusion>
+        <!-- CVE-2026-22732: exclude EOL spring-security-oauth2 to prevent
+             its transitive pull of vulnerable spring-security-web < 6.5.9 -->
+        <exclusion>
+          <groupId>org.springframework.security.oauth</groupId>
+          <artifactId>spring-security-oauth2</artifactId>
+        </exclusion>
+        <!-- jackson-core async-parser DoS: cut the
+             web-openapi -> common-jackson -> jackson-datatype-jdk8
+             -> jackson-core@2.19.0 transitive chain at source -->
+        <exclusion>
+          <groupId>org.jetbrains.teamcity</groupId>
+          <artifactId>common-jackson</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -40,6 +53,19 @@
           <groupId>commons-httpclient</groupId>
           <artifactId>commons-httpclient</artifactId>
         </exclusion>
+        <!-- CVE-2026-22732: exclude EOL spring-security-oauth2 to prevent
+             its transitive pull of vulnerable spring-security-web < 6.5.9
+             via web-openapi -> common-spring-security -> spring-security-oauth2 -->
+        <exclusion>
+          <groupId>org.springframework.security.oauth</groupId>
+          <artifactId>spring-security-oauth2</artifactId>
+        </exclusion>
+        <!-- jackson-core async-parser DoS: server-web-api also carries
+             the web-openapi -> common-jackson chain; cut it here too -->
+        <exclusion>
+          <groupId>org.jetbrains.teamcity</groupId>
+          <artifactId>common-jackson</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
@@ -52,6 +78,17 @@
           <groupId>commons-httpclient</groupId>
           <artifactId>commons-httpclient</artifactId>
         </exclusion>
+        <!-- CVE-2026-22732: exclude EOL spring-security-oauth2 -->
+        <exclusion>
+          <groupId>org.springframework.security.oauth</groupId>
+          <artifactId>spring-security-oauth2</artifactId>
+        </exclusion>
+        <!-- jackson-core async-parser DoS: tests-support also carries
+             common-jackson transitively; exclude to keep test classpath clean -->
+        <exclusion>
+          <groupId>org.jetbrains.teamcity</groupId>
+          <artifactId>common-jackson</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 

pom.xml

@@ -17,7 +17,21 @@
         <project.build.resourceEncoding>UTF-8</project.build.resourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <springFramework.version>6.2.11</springFramework.version>
-        <springSecurity.version>6.3.5</springSecurity.version>
+        <springSecurity.version>6.5.9</springSecurity.version>
+        <!-- CVE jackson-core async-parser DoS: fix versions are 2.18.6 / 2.19.1 / 3.1.0.
+             Pinning the whole Jackson family to 2.19.1 (same minor stream, patched). -->
+        <jackson.version>2.21.1</jackson.version>
+        <!-- CVE commons-lang3 uncontrolled recursion: ClassUtils.getClass() can throw
+             StackOverflowError on crafted long inputs → DoS.
+             Affected : commons-lang3 3.0 – 3.17.0 (and commons-lang 2.0 – 2.6)
+             Fix      : 3.18.0+. Upgraded to 3.20.0 to stay in sync with
+             commons-text 1.15.0 which natively declares commons-lang3 @ 3.20.0,
+             eliminating the vulnerable declared-dependency path entirely. -->
+        <commons-lang3.version>3.20.0</commons-lang3.version>
+        <!-- commons-text 1.13.1 declared commons-lang3 @ 3.17.0 (vulnerable).
+             Upgrading to 1.15.0 which natively declares commons-lang3 @ 3.20.0,
+             removing the vulnerable transitive path from the artifact's own POM. -->
+        <commons-text.version>1.15.0</commons-text.version>
     </properties>
 
     <modules>
@@ -88,6 +102,12 @@
                         <groupId>commons-lang</groupId>
                         <artifactId>commons-lang</artifactId>
                     </exclusion>
+                    <!-- CVE-2026-22732: exclude EOL spring-security-oauth2 to prevent
+                         its transitive pull of vulnerable spring-security-web < 6.5.9 -->
+                    <exclusion>
+                        <groupId>org.springframework.security.oauth</groupId>
+                        <artifactId>spring-security-oauth2</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>
@@ -135,6 +155,22 @@
                         <groupId>commons-fileupload</groupId>
                         <artifactId>commons-fileupload</artifactId>
                     </exclusion>
+                    <!-- CVE-2026-22732 mitigation: springSecurity.version is now 6.5.9.
+                         Keep excluding EOL spring-security-oauth2 to avoid its legacy
+                         transitive chain and prevent vulnerable spring-security-web pull-ins. -->
+                    <exclusion>
+                        <groupId>org.springframework.security.oauth</groupId>
+                        <artifactId>spring-security-oauth2</artifactId>
+                    </exclusion>
+                    <!-- jackson-core async-parser DoS: exclude the TeamCity-internal
+                         common-jackson bundle so that web-openapi cannot bring in
+                         jackson-datatype-jdk8 → jackson-core @ 2.19.0 (vulnerable).
+                         jackson-core @ ${jackson.version} is forced via dependencyManagement
+                         as a second line of defence. -->
+                    <exclusion>
+                        <groupId>org.jetbrains.teamcity</groupId>
+                        <artifactId>common-jackson</artifactId>
+                    </exclusion>
                 </exclusions>
             </dependency>
             <dependency>
@@ -312,12 +348,71 @@
                 <artifactId>gson</artifactId>
                 <version>2.12.0</version>
             </dependency>
-             <dependency>
+            <dependency>
                 <groupId>org.apache.logging.log4j</groupId>
                 <artifactId>log4j-core</artifactId>
                 <version>2.25.3</version>
                 <scope>provided</scope>
             </dependency>
+
+            <!-- ===== commons-text + commons-lang3 version override =====
+                 CVE: ClassUtils.getClass() uncontrolled recursion → StackOverflowError → DoS.
+                 Root cause : commons-lang3 3.0 – 3.17.0.
+                 commons-text 1.13.1 (transitive via TeamCity server-api) declared
+                 commons-lang3 @ 3.17.0 in its own POM — scanners walking the declared
+                 graph flagged the path even after the resolved version was overridden.
+                 Fix        : upgrade commons-text to 1.15.0, which natively declares
+                 commons-lang3 @ 3.20.0, removing the vulnerable path from the
+                 artifact's own metadata. commons-lang3 is also pinned independently
+                 so no other path can re-introduce an older version. -->
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-text</artifactId>
+                <version>${commons-text.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>${commons-lang3.version}</version>
+            </dependency>
+
+            <!-- ===== Jackson version override =====
+                 CVE: jackson-core async (non-blocking) parser bypasses maxNumberLength,
+                 enabling DoS via unbounded number tokens.
+                 Affected : jackson-core < 2.18.6 / < 2.19.1 / < 3.1.0
+                 Fix      : force every jackson-* artifact to 2.19.1 so that
+                 common-jackson → jackson-datatype-jdk8 → jackson-core cannot
+                 resolve a vulnerable 2.19.0 jar even transitively. -->
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-core</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-databind</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-annotations</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.datatype</groupId>
+                <artifactId>jackson-datatype-jdk8</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.datatype</groupId>
+                <artifactId>jackson-datatype-jsr310</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.module</groupId>
+                <artifactId>jackson-module-parameter-names</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>