search

hapifhir / hapi-fhir

🔥 HAPI FHIR - Java API for HL7 FHIR Clients and Servers
http://hapifhir.io
Apache License 2.0
2.03k stars 1.33k forks source link

CVE-2023-34053 (High) detected in spring-web-6.0.12.jar - autoclosed #5531

Closed mend-bolt-for-github[bot] closed 10 months ago

mend-bolt-for-github[bot] commented 11 months ago

CVE-2023-34053 - High Severity Vulnerability

Vulnerable Library - spring-web-6.0.12.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /hapi-fhir-jpaserver-hfql/pom.xml

Path to vulnerable library: /hapi-fhir-jpaserver-hfql/pom.xml,/hapi-fhir-storage-test-utilities/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-server-jersey/pom.xml,/hapi-fhir-jpaserver-base/pom.xml,/hapi-fhir-cli/hapi-fhir-cli-app/pom.xml,/hapi-fhir-jpaserver-ips/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-okhttp/pom.xml,/hapi-fhir-jpaserver-subscription/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-samples/hapi-fhir-spring-boot-sample-client-apache/pom.xml,/hapi-fhir-test-utilities/pom.xml,/hapi-fhir-cli/hapi-fhir-cli-api/pom.xml,/hapi-fhir-jpaserver-mdm/pom.xml,/hapi-fhir-server-cds-hooks/pom.xml,/hapi-fhir-spring-boot/hapi-fhir-spring-boot-autoconfigure/pom.xml,/hapi-fhir-jpaserver-uhnfhirtest/pom.xml,/hapi-fhir-jpaserver-test-utilities/pom.xml,/hapi-fhir-jpaserver-elastic-test-utilities/pom.xml,/hapi-fhir-server/pom.xml,/hapi-fhir-docs/pom.xml,/hapi-fhir-storage-mdm/pom.xml,/hapi-fhir-storage-batch2-test-utilities/pom.xml

Dependency Hierarchy: - :x: **spring-web-6.0.12.jar** (Vulnerable Library)

Found in HEAD commit: b59f2d05a7d0fd10c7b03bb6f0ebf97757172a71

Found in base branch: master

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * io.micrometer:micrometer-core is on the classpath * an ObservationRegistry is configured in the application to record observations Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.

Publish Date: 2023-11-28

URL: CVE-2023-34053

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-34053

Release Date: 2023-11-28

Fix Resolution: 6.0.13

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] commented 10 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.