BranislavBeno / Ronja-CRM-Server

MIT License
1 stars 1 forks source link

spring-boot-starter-web-3.3.4.jar: 2 vulnerabilities (highest severity is: 9.8) #279

Open mend-bolt-for-github[bot] opened 2 weeks ago

mend-bolt-for-github[bot] commented 2 weeks ago
Vulnerable Library - spring-boot-starter-web-3.3.4.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.30/852ff3547f179175feaff39c443e9b980ec2cc2/tomcat-embed-core-10.1.30.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-boot-starter-web version) Remediation Possible**
CVE-2024-52316 Critical 9.8 tomcat-embed-core-10.1.30.jar Transitive 3.3.5
CVE-2024-52317 Medium 6.5 tomcat-embed-core-10.1.30.jar Transitive 3.3.5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-52316 ### Vulnerable Library - tomcat-embed-core-10.1.30.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.30/852ff3547f179175feaff39c443e9b980ec2cc2/tomcat-embed-core-10.1.30.jar

Dependency Hierarchy: - spring-boot-starter-web-3.3.4.jar (Root Library) - spring-boot-starter-tomcat-3.3.4.jar - :x: **tomcat-embed-core-10.1.30.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Publish Date: 2024-11-18

URL: CVE-2024-52316

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-11-18

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.5

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-52317 ### Vulnerable Library - tomcat-embed-core-10.1.30.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.30/852ff3547f179175feaff39c443e9b980ec2cc2/tomcat-embed-core-10.1.30.jar

Dependency Hierarchy: - spring-boot-starter-web-3.3.4.jar (Root Library) - spring-boot-starter-tomcat-3.3.4.jar - :x: **tomcat-embed-core-10.1.30.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Publish Date: 2024-11-18

URL: CVE-2024-52317

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-11-18

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.5

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)