search

amaybaum-prod / spring-cloud-alibaba

Spring Cloud Alibaba provides a one-stop solution for application development for the distributed solutions of Alibaba middleware.
https://spring.io/projects/spring-cloud-alibaba
Apache License 2.0
0 stars 2 forks source link

spring-boot-starter-web-3.0.2.jar: 2 vulnerabilities (highest severity is: 7.5) reachable - autoclosed #12

Closed mend-for-github-com[bot] closed 9 months ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - spring-boot-starter-web-3.0.2.jar

Path to dependency file: /spring-cloud-alibaba-starters/spring-cloud-starter-alibaba-nacos-discovery/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.5/tomcat-embed-core-10.1.5.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-boot-starter-web version) Remediation Possible** Reachability
CVE-2023-28709 High 7.5 tomcat-embed-core-10.1.5.jar Transitive 3.0.7

CVE-2023-28708 Medium 4.3 tomcat-embed-core-10.1.5.jar Transitive 3.0.5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-28709 ### Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /spring-cloud-alibaba-examples/seata-example/account-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.5/tomcat-embed-core-10.1.5.jar

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-core-10.1.5.jar** (Vulnerable Library)

Found in base branch: 2022.x

### Reachability Analysis

This vulnerability is potentially used ``` com.alibaba.cloud.sentinel.SentinelWebAutoConfiguration (Application) -> org.apache.catalina.filters.RemoteIpFilter$XForwardedRequest (Extension) -> org.apache.catalina.filters.RemoteIpFilter (Extension) -> org.apache.catalina.util.LifecycleMBeanBase (Extension) ... -> org.apache.catalina.authenticator.AuthenticatorBase (Extension) -> org.apache.coyote.Request (Extension) -> ❌ org.apache.tomcat.util.http.Parameters (Vulnerable Component) ```

### Vulnerability Details

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Publish Date: 2023-05-22

URL: CVE-2023-28709

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

Release Date: 2023-05-22

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.9

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-28708 ### Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /spring-cloud-alibaba-examples/seata-example/account-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.5/tomcat-embed-core-10.1.5.jar

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-core-10.1.5.jar** (Vulnerable Library)

Found in base branch: 2022.x

### Reachability Analysis

The vulnerable code is not reachable.

### Vulnerability Details

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Publish Date: 2023-03-22

URL: CVE-2023-28708

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67

Release Date: 2023-03-22

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.5

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 9 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.