Open mend-bolt-for-github[bot] opened 6 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - spring-boot-starter-web-3.2.3.jar
Path to dependency file: /backend/api/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.19/3dbbca8acbd4dd6a137c3d6f934a2931512b42ce/tomcat-embed-core-10.1.19.jar
Found in HEAD commit: 3771efdc65d78993ec70e1be29dcc7d9b6e77e96
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-34750
### Vulnerable Library - tomcat-embed-core-10.1.19.jarCore Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /backend/api/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.19/3dbbca8acbd4dd6a137c3d6f934a2931512b42ce/tomcat-embed-core-10.1.19.jar
Dependency Hierarchy: - spring-boot-starter-web-3.2.3.jar (Root Library) - spring-boot-starter-tomcat-3.2.3.jar - :x: **tomcat-embed-core-10.1.19.jar** (Vulnerable Library)
Found in HEAD commit: 3771efdc65d78993ec70e1be29dcc7d9b6e77e96
Found in base branch: master
### Vulnerability DetailsImproper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Publish Date: 2024-07-03
URL: CVE-2024-34750
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
Release Date: 2024-07-03
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.25
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.7
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)