search

KDWSS / dd-trace-java

Datadog APM client for Java
https://docs.datadoghq.com/tracing/languages/java
Apache License 2.0
0 stars 0 forks source link

CVE-2023-20883 (High) detected in spring-boot-autoconfigure-2.2.7.RELEASE.jar #747

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago

CVE-2023-20883 - High Severity Vulnerability

Vulnerable Library - spring-boot-autoconfigure-2.2.7.RELEASE.jar

Spring Boot AutoConfigure

Library home page: https://spring.io

Path to dependency file: /dd-smoke-tests/springboot-openliberty/application/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.2.7.RELEASE/spring-boot-autoconfigure-2.2.7.RELEASE.jar,/dd-smoke-tests/springboot-openliberty/application/target/liberty/wlp/usr/shared/resources/lib.index.cache/a1/da709190c67253d393c1372a17bd0c8a1d74fd676a2d1c0ad8b35cc8536ff7/spring-boot-autoconfigure-2.2.7.RELEASE.jar

Dependency Hierarchy: - :x: **spring-boot-autoconfigure-2.2.7.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Publish Date: 2023-05-26

URL: CVE-2023-20883

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20883

Release Date: 2023-05-26

Fix Resolution: 2.5.15