search

krhrtky / self-hr

0 stars 0 forks source link

spring-boot-starter-web-3.2.3.jar: 1 vulnerabilities (highest severity is: 7.5) #197

Open mend-bolt-for-github[bot] opened 6 months ago

mend-bolt-for-github[bot] commented 6 months ago
Vulnerable Library - spring-boot-starter-web-3.2.3.jar

Path to dependency file: /backend/api/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.19/3dbbca8acbd4dd6a137c3d6f934a2931512b42ce/tomcat-embed-core-10.1.19.jar

Found in HEAD commit: 3771efdc65d78993ec70e1be29dcc7d9b6e77e96

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-boot-starter-web version) Remediation Possible**
CVE-2024-34750 High 7.5 tomcat-embed-core-10.1.19.jar Transitive 3.2.7

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-34750 ### Vulnerable Library - tomcat-embed-core-10.1.19.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /backend/api/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.19/3dbbca8acbd4dd6a137c3d6f934a2931512b42ce/tomcat-embed-core-10.1.19.jar

Dependency Hierarchy: - spring-boot-starter-web-3.2.3.jar (Root Library) - spring-boot-starter-tomcat-3.2.3.jar - :x: **tomcat-embed-core-10.1.19.jar** (Vulnerable Library)

Found in HEAD commit: 3771efdc65d78993ec70e1be29dcc7d9b6e77e96

Found in base branch: master

### Vulnerability Details

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Publish Date: 2024-07-03

URL: CVE-2024-34750

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l

Release Date: 2024-07-03

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.25

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 4 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-bolt-for-github[bot] commented 2 months ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.