search

MendDemo-josh / java-sec-code

Java web common vulnerabilities and security code which is base on springboot and spring security
0 stars 0 forks source link

spring-security-config-4.2.12.RELEASE.jar: 1 vulnerabilities (highest severity is: 4.8) #39

Open mend-for-github-com[bot] opened 2 days ago

mend-for-github-com[bot] commented 2 days ago
Vulnerable Library - spring-security-config-4.2.12.RELEASE.jar

spring-security-config

Library home page: https://spring.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-config/4.2.12.RELEASE/spring-security-config-4.2.12.RELEASE.jar

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (spring-security-config version) Remediation Possible** Reachability
CVE-2024-38827 Medium 4.8 Not Defined spring-security-config-4.2.12.RELEASE.jar Direct 5.7.14

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-38827 ### Vulnerable Library - spring-security-config-4.2.12.RELEASE.jar

spring-security-config

Library home page: https://spring.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-config/4.2.12.RELEASE/spring-security-config-4.2.12.RELEASE.jar

Dependency Hierarchy: - :x: **spring-security-config-4.2.12.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf

Found in base branch: master

### Vulnerability Details

The usage of String.toLowerCase() and String.toUpperCase() has some Locale dependent exceptions that could potentially result in authorization rules not working properly.

Publish Date: 2024-06-20

URL: CVE-2024-38827

### Threat Assessment

Exploit Maturity: Not Defined

EPSS:

### CVSS 3 Score Details (4.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38827

Release Date: 2024-06-20

Fix Resolution: 5.7.14

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules