*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/groovy/groovy/2.4.7/groovy-2.4.7.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2016-6814
### Vulnerable Library - groovy-2.4.7.jarGroovy: A powerful, dynamic language for the JVM
Library home page: http://groovy-lang.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/groovy/groovy/2.4.7/groovy-2.4.7.jar
Dependency Hierarchy: - spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar (Root Library) - thymeleaf-layout-dialect-1.4.0.jar - :x: **groovy-2.4.7.jar** (Vulnerable Library)
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Rce (Application) -> org.springframework.beans.factory.config.YamlProcessor$StrictMapAppenderConstructor (Extension) -> org.springframework.beans.factory.config.YamlProcessor (Extension) -> ch.qos.logback.classic.util.ContextInitializer (Extension) ... -> ch.qos.logback.classic.gaffer.GafferConfigurator (Extension) -> groovy.lang.MetaClassImpl (Extension) -> ❌ org.codehaus.groovy.runtime.MethodClosure (Vulnerable Component) ``` ### Vulnerability DetailsWhen an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Publish Date: 2018-01-18
URL: CVE-2016-6814
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 3.7%
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
Release Date: 2018-01-15
Fix Resolution (org.codehaus.groovy:groovy): 2.4.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.0.0.RELEASE
In order to enable automatic remediation, please create workflow rules
CVE-2020-17521
### Vulnerable Library - groovy-2.4.7.jarGroovy: A powerful, dynamic language for the JVM
Library home page: http://groovy-lang.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/groovy/groovy/2.4.7/groovy-2.4.7.jar
Dependency Hierarchy: - spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar (Root Library) - thymeleaf-layout-dialect-1.4.0.jar - :x: **groovy-2.4.7.jar** (Vulnerable Library)
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Rce (Application) -> groovy.lang.GroovyShell (Extension) -> groovy.lang.GroovySystem (Extension) -> org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl (Extension) -> ❌ org.codehaus.groovy.runtime.DefaultGroovyStaticMethods (Vulnerable Component) ``` ### Vulnerability DetailsApache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Publish Date: 2020-12-07
URL: CVE-2020-17521
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (5.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://issues.apache.org/jira/browse/GROOVY-9824
Release Date: 2020-12-07
Fix Resolution (org.codehaus.groovy:groovy): 2.4.21
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.0.0.RELEASE
In order to enable automatic remediation, please create workflow rules
CVE-2016-3093
### Vulnerable Library - ognl-3.0.8.jarOGNL - Object Graph Navigation Library
Library home page: http://ognl.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ognl/ognl/3.0.8/ognl-3.0.8.jar
Dependency Hierarchy: - spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar (Root Library) - thymeleaf-spring4-2.1.5.RELEASE.jar - thymeleaf-2.1.5.RELEASE.jar - :x: **ognl-3.0.8.jar** (Vulnerable Library)
Found in base branch: master
### Reachability Analysis This vulnerability is potentially reachable ``` org.joychou.controller.Rce (Application) -> groovy.lang.GroovyShell (Extension) -> groovy.lang.Script (Extension) -> org.thymeleaf.standard.expression.LinkExpression (Extension) ... -> org.thymeleaf.context.VariablesMap (Extension) -> org.thymeleaf.context.OGNLVariablesMapPropertyAccessor (Extension) -> ❌ ognl.OgnlRuntime (Vulnerable Component) ``` ### Vulnerability DetailsApache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
Publish Date: 2016-06-07
URL: CVE-2016-3093
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 2.7%
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-3093
Release Date: 2016-06-07
Fix Resolution (ognl:ognl): 3.0.12
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.0.0.RELEASE
In order to enable automatic remediation, please create workflow rules
CVE-2023-38286
### Vulnerable Library - thymeleaf-2.1.5.RELEASE.jarXML/XHTML/HTML5 template engine for Java
Library home page: http://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf/2.1.5.RELEASE/thymeleaf-2.1.5.RELEASE.jar
Dependency Hierarchy: - spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar (Root Library) - thymeleaf-spring4-2.1.5.RELEASE.jar - :x: **thymeleaf-2.1.5.RELEASE.jar** (Vulnerable Library)
Found in base branch: master
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsThymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
Publish Date: 2023-07-14
URL: CVE-2023-38286
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-7gj7-224w-vpr3
Release Date: 2023-07-14
Fix Resolution: de.codecentric:spring-boot-admin-server:3.1.2;rg.thymeleaf:thymeleaf:3.1.2.RELEASE
In order to enable automatic remediation for this issue, please create workflow rules