SharonKoch / skf-labs

Repo for all the OWASP-SKF Docker lab examples
Apache License 2.0
0 stars 1 forks source link

spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar: 24 vulnerabilities (highest severity is: 9.8) #34

Open mend-for-github-com[bot] opened 10 months ago

mend-for-github-com[bot] commented 10 months ago
Vulnerable Library - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar

Path to dependency file: /java/ssti/pom.xml

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-boot-starter-thymeleaf version) Remediation Possible**
CVE-2022-22965 Critical 9.8 spring-beans-5.2.0.RELEASE.jar Transitive 2.4.0
CVE-2022-1471 High 8.3 snakeyaml-1.25.jar Transitive 3.2.0
CVE-2022-27772 High 7.8 spring-boot-2.2.0.RELEASE.jar Transitive 2.2.11.RELEASE
CVE-2023-38286 High 7.5 thymeleaf-3.0.11.RELEASE.jar Transitive N/A*
CVE-2023-20883 High 7.5 spring-boot-autoconfigure-2.2.0.RELEASE.jar Transitive 2.5.15
CVE-2022-25857 High 7.5 snakeyaml-1.25.jar Transitive 3.0.0
CVE-2017-18640 High 7.5 snakeyaml-1.25.jar Transitive 2.3.0.RELEASE
CVE-2023-6481 High 7.1 logback-core-1.2.3.jar Transitive N/A*
CVE-2023-6378 High 7.1 logback-classic-1.2.3.jar Transitive 3.0.0
CVE-2021-42550 Medium 6.6 detected in multiple dependencies Transitive 2.5.8
CVE-2023-20863 Medium 6.5 spring-expression-5.2.0.RELEASE.jar Transitive 2.4.0
CVE-2023-20861 Medium 6.5 spring-expression-5.2.0.RELEASE.jar Transitive 2.4.0
CVE-2022-38752 Medium 6.5 snakeyaml-1.25.jar Transitive 3.0.0
CVE-2022-38751 Medium 6.5 snakeyaml-1.25.jar Transitive 3.0.0
CVE-2022-38750 Medium 6.5 snakeyaml-1.25.jar Transitive 3.0.0
CVE-2022-38749 Medium 6.5 snakeyaml-1.25.jar Transitive 3.0.0
CVE-2022-22950 Medium 6.5 spring-expression-5.2.0.RELEASE.jar Transitive 2.4.0
CVE-2022-41854 Medium 5.8 snakeyaml-1.25.jar Transitive 3.0.0
CVE-2022-22970 Medium 5.3 detected in multiple dependencies Transitive 2.4.0
CVE-2022-22968 Medium 5.3 spring-context-5.2.0.RELEASE.jar Transitive 2.4.0
CVE-2024-38808 Medium 4.3 spring-expression-5.2.0.RELEASE.jar Transitive 3.0.0
CVE-2021-22096 Medium 4.3 spring-core-5.2.0.RELEASE.jar Transitive 2.4.0
CVE-2021-22060 Medium 4.3 spring-core-5.2.0.RELEASE.jar Transitive 2.4.0
CVE-2024-38820 Low 3.1 spring-context-5.2.0.RELEASE.jar Transitive 3.2.11

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-22965 ### Vulnerable Library - spring-beans-5.2.0.RELEASE.jar

Spring Beans

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - spring-context-5.2.0.RELEASE.jar - spring-aop-5.2.0.RELEASE.jar - :x: **spring-beans-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.4.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-1471 ### Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

### CVSS 3 Score Details (8.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution (org.yaml:snakeyaml): 2.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-27772 ### Vulnerable Library - spring-boot-2.2.0.RELEASE.jar

Spring Boot

Library home page: https://spring.io

Path to dependency file: /java/des-yaml/pom.xml

Path to vulnerable library: /java/des-yaml/pom.xml,/java/ssti/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **spring-boot-2.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer

Publish Date: 2022-03-30

URL: CVE-2022-27772

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/JLLeitschuh/security-research/security/advisories/GHSA-cm59-pr5q-cw85

Release Date: 2022-03-30

Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.2.11.RELEASE

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-38286 ### Vulnerable Library - thymeleaf-3.0.11.RELEASE.jar

Modern server-side Java template engine for both web and standalone environments

Library home page: http://www.thymeleaf.org

Path to dependency file: /java/des-yaml/pom.xml

Path to vulnerable library: /java/des-yaml/pom.xml,/java/ssti/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - thymeleaf-spring5-3.0.11.RELEASE.jar - :x: **thymeleaf-3.0.11.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

Publish Date: 2023-07-14

URL: CVE-2023-38286

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-7gj7-224w-vpr3

Release Date: 2023-07-14

Fix Resolution: de.codecentric:spring-boot-admin-server:3.1.2;rg.thymeleaf:thymeleaf:3.1.2.RELEASE

CVE-2023-20883 ### Vulnerable Library - spring-boot-autoconfigure-2.2.0.RELEASE.jar

Spring Boot AutoConfigure

Library home page: https://spring.io

Path to dependency file: /java/des-yaml/pom.xml

Path to vulnerable library: /java/des-yaml/pom.xml,/java/ssti/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **spring-boot-autoconfigure-2.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Publish Date: 2023-05-26

URL: CVE-2023-20883

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20883

Release Date: 2023-05-26

Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 2.5.15

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.5.15

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25857 ### Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2017-18640 ### Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution (org.yaml:snakeyaml): 1.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.3.0.RELEASE

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-6481 ### Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-starter-logging-2.2.0.RELEASE.jar - logback-classic-1.2.3.jar - :x: **logback-core-1.2.3.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

A serialization vulnerability in logback receiver component part of logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14

CVE-2023-6378 ### Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-starter-logging-2.2.0.RELEASE.jar - :x: **logback-classic-1.2.3.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution (ch.qos.logback:logback-classic): 1.2.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-42550 ### Vulnerable Libraries - logback-classic-1.2.3.jar, logback-core-1.2.3.jar

### logback-classic-1.2.3.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-starter-logging-2.2.0.RELEASE.jar - :x: **logback-classic-1.2.3.jar** (Vulnerable Library) ### logback-core-1.2.3.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-starter-logging-2.2.0.RELEASE.jar - logback-classic-1.2.3.jar - :x: **logback-core-1.2.3.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

### CVSS 3 Score Details (6.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution (ch.qos.logback:logback-classic): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.5.8

Fix Resolution (ch.qos.logback:logback-core): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.5.8

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-20863 ### Vulnerable Library - spring-expression-5.2.0.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - spring-context-5.2.0.RELEASE.jar - :x: **spring-expression-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.2.24.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.4.0

CVE-2023-20861 ### Vulnerable Library - spring-expression-5.2.0.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - spring-context-5.2.0.RELEASE.jar - :x: **spring-expression-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.2.23.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.4.0

CVE-2022-38752 ### Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-38751 ### Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-38750 ### Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-38749 ### Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-22950 ### Vulnerable Library - spring-expression-5.2.0.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - spring-context-5.2.0.RELEASE.jar - :x: **spring-expression-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.4.0

CVE-2022-41854 ### Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - :x: **snakeyaml-1.25.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

### CVSS 3 Score Details (5.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-22970 ### Vulnerable Libraries - spring-beans-5.2.0.RELEASE.jar, spring-core-5.2.0.RELEASE.jar

### spring-beans-5.2.0.RELEASE.jar

Spring Beans

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - spring-context-5.2.0.RELEASE.jar - spring-aop-5.2.0.RELEASE.jar - :x: **spring-beans-5.2.0.RELEASE.jar** (Vulnerable Library) ### spring-core-5.2.0.RELEASE.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - :x: **spring-core-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.4.0

Fix Resolution (org.springframework:spring-core): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.4.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-22968 ### Vulnerable Library - spring-context-5.2.0.RELEASE.jar

Spring Context

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /java/des-yaml/pom.xml

Path to vulnerable library: /java/des-yaml/pom.xml,/java/ssti/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - :x: **spring-context-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution (org.springframework:spring-context): 5.2.21.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.4.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-38808 ### Vulnerable Library - spring-expression-5.2.0.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - spring-context-5.2.0.RELEASE.jar - :x: **spring-expression-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.

Publish Date: 2024-08-20

URL: CVE-2024-38808

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38808

Release Date: 2024-08-20

Fix Resolution (org.springframework:spring-expression): 5.3.39

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.0.0

CVE-2021-22096 ### Vulnerable Library - spring-core-5.2.0.RELEASE.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - :x: **spring-core-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.4.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2021-22060 ### Vulnerable Library - spring-core-5.2.0.RELEASE.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /java/ssti/pom.xml

Path to vulnerable library: /java/ssti/pom.xml,/java/des-yaml/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - :x: **spring-core-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-07

URL: CVE-2021-22060

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2021-22060

Release Date: 2022-01-07

Fix Resolution (org.springframework:spring-core): 5.2.19.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.4.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-38820 ### Vulnerable Library - spring-context-5.2.0.RELEASE.jar

Spring Context

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /java/des-yaml/pom.xml

Path to vulnerable library: /java/des-yaml/pom.xml,/java/ssti/pom.xml

Dependency Hierarchy: - spring-boot-starter-thymeleaf-2.2.0.RELEASE.jar (Root Library) - spring-boot-starter-2.2.0.RELEASE.jar - spring-boot-2.2.0.RELEASE.jar - :x: **spring-context-5.2.0.RELEASE.jar** (Vulnerable Library)

Found in HEAD commit: dbff3320673205dea2e0a4c513d54497ca905aab

Found in base branch: master

### Vulnerability Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Publish Date: 2024-10-18

URL: CVE-2024-38820

### CVSS 3 Score Details (3.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38820

Release Date: 2024-10-18

Fix Resolution (org.springframework:spring-context): 6.1.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.2.11

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 6 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 3 months ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.