spring-boot-starter-web-2.6.4.jar: 21 vulnerabilities (highest severity is: 9.8) #2
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
copper-mend-app
bot
added
the
Mend: dependency security vulnerability
copper-mend-app
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.29/6d0cdafb2010f1297e574656551d7145240f6e25/snakeyaml-1.29.jar
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-beans-5.3.16.jar
Spring Beans
Library home page: https://github.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.16/15decec5cea7a91423272daaae6f5d050c23cf3b/spring-beans-5.3.16.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution (spring-beans): org.springframework:spring-beans:5.2.20.RELEASE,5.3.18
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-web-5.3.16.jar
Spring Web
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.16/224ae9b45e138034980a423e2f85d7bd63539a49/spring-web-5.3.16.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Mend Note: After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4wrc-f8pq-fpqp
Release Date: 2020-01-02
Fix Resolution: org.springframework:spring-web:6.0.0
Vulnerable Library - snakeyaml-1.29.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.29/6d0cdafb2010f1297e574656551d7145240f6e25/snakeyaml-1.29.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Publish Date: 2022-12-01
URL: CVE-2022-1471
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: 2022-12-01
Fix Resolution: org.yaml:snakeyaml:2.0
Vulnerable Library - spring-web-5.3.16.jar
Spring Web
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.16/224ae9b45e138034980a423e2f85d7bd63539a49/spring-web-5.3.16.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Publish Date: 2024-02-23
URL: CVE-2024-22243
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22243
Release Date: 2024-02-23
Fix Resolution: org.springframework:spring-web:5.3.32,6.0.17,6.1.4
Vulnerable Library - spring-web-5.3.16.jar
Spring Web
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.16/224ae9b45e138034980a423e2f85d7bd63539a49/spring-web-5.3.16.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-04-16
URL: CVE-2024-22262
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22262
Release Date: 2024-04-16
Fix Resolution: org.springframework:spring-web:5.3.34;6.0.19,6.1.6
Vulnerable Library - spring-web-5.3.16.jar
Spring Web
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.3.16/224ae9b45e138034980a423e2f85d7bd63539a49/spring-web-5.3.16.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-03-16
URL: CVE-2024-22259
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22259
Release Date: 2024-03-16
Fix Resolution: org.springframework:spring-web:5.3.33,6.0.18,6.1.5
Vulnerable Library - snakeyaml-1.29.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.29/6d0cdafb2010f1297e574656551d7145240f6e25/snakeyaml-1.29.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution: org.yaml:snakeyaml:1.31
Vulnerable Library - logback-core-1.2.10.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.10/5328406bfcae7bcdcc86810fcb2920d2c297170d/logback-core-1.2.10.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Publish Date: 2023-12-04
URL: CVE-2023-6481
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481
Release Date: 2023-12-04
Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14
Vulnerable Library - tomcat-embed-core-9.0.58.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.58/5166fd9f6ffef571c22265c84a0b4354a835d4d2/tomcat-embed-core-9.0.58.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution (tomcat-embed-core): org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-9.0.58.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.58/5166fd9f6ffef571c22265c84a0b4354a835d4d2/tomcat-embed-core-9.0.58.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
Publish Date: 2023-11-28
URL: CVE-2023-46589
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2023-11-28
Fix Resolution (tomcat-embed-core): org.apache.tomcat:tomcat-coyote:8.5.96,9.0.83,10.1.16,11.0.0-M11, org.apache.tomcat.embed:tomcat-embed-core:8.5.96,9.0.83,10.1.16,11.0.0-M11, org.apache.tomcat:tomcat-catalina:8.5.96,9.0.83,10.1.16,11.0.0-M11
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-9.0.58.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.58/5166fd9f6ffef571c22265c84a0b4354a835d4d2/tomcat-embed-core-9.0.58.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-10.html
Release Date: 2023-02-20
Fix Resolution (tomcat-embed-core): commons-fileupload:commons-fileupload:1.5;org.apache.tomcat:tomcat-coyote:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat.embed:tomcat-embed-core:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-util:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-catalina:8.5.85,9.0.71,10.1.5,11.0.0-M3
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-9.0.58.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.58/5166fd9f6ffef571c22265c84a0b4354a835d4d2/tomcat-embed-core-9.0.58.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Publish Date: 2024-03-13
URL: CVE-2024-24549
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
Release Date: 2024-03-13
Fix Resolution: org.apache.tomcat:tomcat-coyote:8.5.99,9.0.86,10.1.19,11.0.0-M17, org.apache.tomcat.embed:tomcat-embed-core:8.5.99,9.0.86,10.1.19,11.0.0-M17
Vulnerable Library - jackson-databind-2.13.1.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Publish Date: 2022-10-02
URL: CVE-2022-42004
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#3582
Release Date: 2022-10-02
Fix Resolution (jackson-databind): com.fasterxml.jackson.core:jackson-databind:2.13.4
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jackson-databind-2.13.1.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
Publish Date: 2022-10-02
URL: CVE-2022-42003
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#3590
Release Date: 2022-10-02
Fix Resolution (jackson-databind): com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.1
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-boot-autoconfigure-2.6.4.jar
Spring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/2.6.4/36e75a2781fc604ac042945eed8be2fe049731df/spring-boot-autoconfigure-2.6.4.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
Publish Date: 2023-05-26
URL: CVE-2023-20883
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20883
Release Date: 2023-05-26
Fix Resolution (spring-boot-autoconfigure): org.springframework.boot:spring-boot-autoconfigure:2.5.12,2.6.12,2.7.12,3.0.7
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - jackson-databind-2.13.1.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.1/698b2d2b15d9a1b7aae025f1d9f576842285e7f6/jackson-databind-2.13.1.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: 2022-03-11
URL: CVE-2020-36518
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2816
Release Date: 2022-03-11
Fix Resolution (jackson-databind): com.fasterxml.jackson.core:jackson-databind:2.12.6.1,2.13.2.1
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - spring-webmvc-5.3.16.jar
Spring Web MVC
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/5.3.16/18e0d7a9cf1c43b100296f86f61b58821dd1e6b9/spring-webmvc-5.3.16.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
Publish Date: 2023-03-27
URL: CVE-2023-20860
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/
Release Date: 2023-03-27
Fix Resolution (spring-webmvc): org.springframework:spring-webmvc:5.3.26,6.0.7
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-websocket-9.0.58.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-websocket/9.0.58/be15775c1abc7fd9b8fda38a8991463e04de656f/tomcat-embed-websocket-9.0.58.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Publish Date: 2024-03-13
URL: CVE-2024-23672
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: apache/tomcat@b0e3b1b
Release Date: 2024-03-13
Fix Resolution: org.apache.tomcat:tomcat-websocket:8.5.99,9.0.86,10.1.19,11.0.0-M17 ,org.apache.tomcat.embed:tomcat-embed-websocket:8.5.99,9.0.86,10.1.19,11.0.0-M17
Vulnerable Library - tomcat-embed-core-9.0.58.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.58/5166fd9f6ffef571c22265c84a0b4354a835d4d2/tomcat-embed-core-9.0.58.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Mend Note: After conducting further research, Mend has determined that versions 10.0.x of org.apache.tomcat:tomcat-catalina are vulnerable to CVE-2022-45143.
Publish Date: 2023-01-03
URL: CVE-2022-45143
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rq2w-37h9-vg94
Release Date: 2023-01-03
Fix Resolution (tomcat-embed-core): org.apache.tomcat:tomcat-catalina:8.5.84,9.0.69,10.1.2, org.apache.tomcat.embed:tomcat-embed-core:8.5.84,9.0.69,10.1.2, org.apache.tomcat.experimental:tomcat-embed-programmatic:9.0.69,10.1.2
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - logback-classic-1.2.10.jar
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.2.10/f69d97ef3335c6ab82fc21dfb77ac613f90c1221/logback-classic-1.2.10.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Publish Date: 2023-11-29
URL: CVE-2023-6378
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://logback.qos.ch/news.html#1.3.12
Release Date: 2023-11-29
Fix Resolution: ch.qos.logback:logback-classic:1.3.12,1.4.12
Vulnerable Library - tomcat-embed-core-9.0.58.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.58/5166fd9f6ffef571c22265c84a0b4354a835d4d2/tomcat-embed-core-9.0.58.jar
Dependency Hierarchy:
Found in HEAD commit: 70092fa46f229aa8874eae31e6882c79f36c3416
Found in base branch: master
Vulnerability Details
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
Publish Date: 2022-11-01
URL: CVE-2022-42252
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-p22x-g9px-3945
Release Date: 2022-11-01
Fix Resolution (tomcat-embed-core): org.apache.tomcat:tomcat:8.5.83,9.0.68,10.0.27,10.1.1
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: