Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.9.RELEASE/ca80b4a00abc388d8046bf372099f35564371c47/spring-webmvc-4.3.9.RELEASE.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.grails/grails-databinding/3.3.0/29d2edc86dda4126afe6d1802c44f6d5d38136f5/grails-databinding-3.3.0.jar
In grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.
Direct dependency fix Resolution (org.grails:grails-web-boot): 3.3.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-46131
### Vulnerable Library - grails-databinding-3.3.0.jar
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.grails/grails-databinding/3.3.0/29d2edc86dda4126afe6d1802c44f6d5d38136f5/grails-databinding-3.3.0.jar
Grails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-11040
### Vulnerable Library - spring-webmvc-4.3.9.RELEASE.jar
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.9.RELEASE/ca80b4a00abc388d8046bf372099f35564371c47/spring-webmvc-4.3.9.RELEASE.jar
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Direct dependency fix Resolution (org.grails:grails-web-boot): 3.3.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-1271
### Vulnerable Library - spring-webmvc-4.3.9.RELEASE.jar
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.9.RELEASE/ca80b4a00abc388d8046bf372099f35564371c47/spring-webmvc-4.3.9.RELEASE.jar
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Direct dependency fix Resolution (org.grails:grails-web-boot): 3.3.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-22096
### Vulnerable Library - spring-webmvc-4.3.9.RELEASE.jar
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.9.RELEASE/ca80b4a00abc388d8046bf372099f35564371c47/spring-webmvc-4.3.9.RELEASE.jar
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.9.RELEASE/ca80b4a00abc388d8046bf372099f35564371c47/spring-webmvc-4.3.9.RELEASE.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-35912
### Vulnerable Library - grails-databinding-3.3.0.jarGrails Web Application Framework
Library home page: http://grails.org/
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.grails/grails-databinding/3.3.0/29d2edc86dda4126afe6d1802c44f6d5d38136f5/grails-databinding-3.3.0.jar
Dependency Hierarchy: - grails-web-boot-3.3.0.jar (Root Library) - grails-web-common-3.3.0.jar - :x: **grails-databinding-3.3.0.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn grails-databinding in Grails before 3.3.15, 4.x before 4.1.1, 5.x before 5.1.9, and 5.2.x before 5.2.1 (at least when certain Java 8 configurations are used), data binding allows a remote attacker to execute code by gaining access to the class loader.
Publish Date: 2022-07-19
URL: CVE-2022-35912
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/grails/grails-core/security/advisories/GHSA-6rh6-x8ww-9h97
Release Date: 2022-07-19
Fix Resolution (org.grails:grails-databinding): 3.3.15
Direct dependency fix Resolution (org.grails:grails-web-boot): 3.3.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-46131
### Vulnerable Library - grails-databinding-3.3.0.jarGrails Web Application Framework
Library home page: http://grails.org/
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.grails/grails-databinding/3.3.0/29d2edc86dda4126afe6d1802c44f6d5d38136f5/grails-databinding-3.3.0.jar
Dependency Hierarchy: - grails-web-boot-3.3.0.jar (Root Library) - grails-web-common-3.3.0.jar - :x: **grails-databinding-3.3.0.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsGrails is a framework used to build web applications with the Groovy programming language. A specially crafted web request can lead to a JVM crash or denial of service. Any Grails framework application using Grails data binding is vulnerable. This issue has been patched in version 3.3.17, 4.1.3, 5.3.4, 6.1.0.
Publish Date: 2023-12-21
URL: CVE-2023-46131
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/grails/grails-core/security/advisories/GHSA-3pjv-r7w4-2cf5
Release Date: 2023-12-20
Fix Resolution: org.grails:grails-databinding:3.3.17,4.1.3,5.3.4,6.1.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-11040
### Vulnerable Library - spring-webmvc-4.3.9.RELEASE.jarSpring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.9.RELEASE/ca80b4a00abc388d8046bf372099f35564371c47/spring-webmvc-4.3.9.RELEASE.jar
Dependency Hierarchy: - grails-web-boot-3.3.0.jar (Root Library) - grails-web-common-3.3.0.jar - :x: **spring-webmvc-4.3.9.RELEASE.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsSpring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Publish Date: 2018-06-25
URL: CVE-2018-11040
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11040
Release Date: 2018-06-14
Fix Resolution (org.springframework:spring-webmvc): 4.3.18.RELEASE
Direct dependency fix Resolution (org.grails:grails-web-boot): 3.3.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-1271
### Vulnerable Library - spring-webmvc-4.3.9.RELEASE.jarSpring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.9.RELEASE/ca80b4a00abc388d8046bf372099f35564371c47/spring-webmvc-4.3.9.RELEASE.jar
Dependency Hierarchy: - grails-web-boot-3.3.0.jar (Root Library) - grails-web-common-3.3.0.jar - :x: **spring-webmvc-4.3.9.RELEASE.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsSpring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Publish Date: 2018-04-06
URL: CVE-2018-1271
### CVSS 3 Score Details (5.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271
Release Date: 2018-04-05
Fix Resolution (org.springframework:spring-webmvc): 4.3.15.RELEASE
Direct dependency fix Resolution (org.grails:grails-web-boot): 3.3.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-22096
### Vulnerable Library - spring-webmvc-4.3.9.RELEASE.jarSpring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /BlockDockServer/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/4.3.9.RELEASE/ca80b4a00abc388d8046bf372099f35564371c47/spring-webmvc-4.3.9.RELEASE.jar
Dependency Hierarchy: - grails-web-boot-3.3.0.jar (Root Library) - grails-web-common-3.3.0.jar - :x: **spring-webmvc-4.3.9.RELEASE.jar** (Vulnerable Library)
Found in base branch: develop
### Vulnerability DetailsIn Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution (org.springframework:spring-webmvc): 5.2.18.RELEASE
Direct dependency fix Resolution (org.grails:grails-web-boot): 3.3.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)