search

BillyBolton / springharvest

A collection of libraries for Java Spring Boot components to quickly spin up full end-to-end RESTful APIs supporting CRUD and criteria search, and a bespoke integration testing framework.
Apache License 2.0
2 stars 4 forks source link

components-shared-0.0.23-SNAPSHOT: 4 vulnerabilities (highest severity is: 9.8) - autoclosed #57

Closed mend-bolt-for-github[bot] closed 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - components-shared-0.0.23-SNAPSHOT

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.13/6909967f2ed6c323108c2cc7f20586d6f7eb6455/tomcat-embed-core-10.1.13.jar

Found in HEAD commit: 674cc8c5017c3790326f83d3f47f257041b10507

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (components-shared version) Remediation Possible**
CVE-2022-1471 Critical 9.8 snakeyaml-1.33.jar Transitive N/A*
CVE-2023-44487 High 7.5 tomcat-embed-core-10.1.13.jar Transitive N/A*
CVE-2023-42795 Medium 5.3 tomcat-embed-core-10.1.13.jar Transitive N/A*
CVE-2023-45648 Medium 5.3 tomcat-embed-core-10.1.13.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-1471 ### Vulnerable Library - snakeyaml-1.33.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /examples/books-catalogue/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar

Dependency Hierarchy: - components-shared-0.0.23-SNAPSHOT (Root Library) - :x: **snakeyaml-1.33.jar** (Vulnerable Library)

Found in HEAD commit: 674cc8c5017c3790326f83d3f47f257041b10507

Found in base branch: main

### Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-44487 ### Vulnerable Library - tomcat-embed-core-10.1.13.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /examples/books-catalogue/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.13/6909967f2ed6c323108c2cc7f20586d6f7eb6455/tomcat-embed-core-10.1.13.jar

Dependency Hierarchy: - components-shared-0.0.23-SNAPSHOT (Root Library) - :x: **tomcat-embed-core-10.1.13.jar** (Vulnerable Library)

Found in HEAD commit: 674cc8c5017c3790326f83d3f47f257041b10507

Found in base branch: main

### Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-42795 ### Vulnerable Library - tomcat-embed-core-10.1.13.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /examples/books-catalogue/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.13/6909967f2ed6c323108c2cc7f20586d6f7eb6455/tomcat-embed-core-10.1.13.jar

Dependency Hierarchy: - components-shared-0.0.23-SNAPSHOT (Root Library) - :x: **tomcat-embed-core-10.1.13.jar** (Vulnerable Library)

Found in HEAD commit: 674cc8c5017c3790326f83d3f47f257041b10507

Found in base branch: main

### Vulnerability Details

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

Publish Date: 2023-10-10

URL: CVE-2023-42795

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42795

Release Date: 2023-10-10

Fix Resolution: org.apache.tomcat:tomcat-util - 8.5.94,10.1.14,11.0.0-M12,10.0.0-M1;org.apache.tomcat.embed:tomcat-embed-core - 11.0.0-M12,8.5.94,9.0.81;org.apache.tomcat:tomcat-coyote - 8.5.94,10.0.0-M1,11.0.0-M12,10.1.14;org.apache.tomcat:tomcat-catalina - 8.5.94,10.0.0-M1,10.1.14,11.0.0-M12

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-45648 ### Vulnerable Library - tomcat-embed-core-10.1.13.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /examples/books-catalogue/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.13/6909967f2ed6c323108c2cc7f20586d6f7eb6455/tomcat-embed-core-10.1.13.jar

Dependency Hierarchy: - components-shared-0.0.23-SNAPSHOT (Root Library) - :x: **tomcat-embed-core-10.1.13.jar** (Vulnerable Library)

Found in HEAD commit: 674cc8c5017c3790326f83d3f47f257041b10507

Found in base branch: main

### Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

Publish Date: 2023-10-10

URL: CVE-2023-45648

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-45648

Release Date: 2023-10-10

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core - 11.0.0-M12,8.5.94,9.0.81;org.apache.tomcat:tomcat-coyote - 8.5.94,10.0.0-M1,10.1.14,11.0.0-M12

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.