Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.30/852ff3547f179175feaff39c443e9b980ec2cc2/tomcat-embed-core-10.1.30.jar
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.30/852ff3547f179175feaff39c443e9b980ec2cc2/tomcat-embed-core-10.1.30.jar
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-52317
### Vulnerable Library - tomcat-embed-core-10.1.30.jar
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.30/852ff3547f179175feaff39c443e9b980ec2cc2/tomcat-embed-core-10.1.30.jar
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests
could lead to request and/or response mix-up between users.
This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
Vulnerable Library - spring-boot-starter-web-3.3.4.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.30/852ff3547f179175feaff39c443e9b980ec2cc2/tomcat-embed-core-10.1.30.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-52316
### Vulnerable Library - tomcat-embed-core-10.1.30.jarCore Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.30/852ff3547f179175feaff39c443e9b980ec2cc2/tomcat-embed-core-10.1.30.jar
Dependency Hierarchy: - spring-boot-starter-web-3.3.4.jar (Root Library) - spring-boot-starter-tomcat-3.3.4.jar - :x: **tomcat-embed-core-10.1.30.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsUnchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52316
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-11-18
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2024-52317
### Vulnerable Library - tomcat-embed-core-10.1.30.jarCore Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.30/852ff3547f179175feaff39c443e9b980ec2cc2/tomcat-embed-core-10.1.30.jar
Dependency Hierarchy: - spring-boot-starter-web-3.3.4.jar (Root Library) - spring-boot-starter-tomcat-3.3.4.jar - :x: **tomcat-embed-core-10.1.30.jar** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsIncorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52317
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-11-18
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)