spring-boot-starter-web-3.0.2.jar: 24 vulnerabilities (highest severity is: 8.3) - autoclosed

Vulnerable Library - spring-boot-starter-web-3.0.2.jar

Path to dependency file: /apns/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.0.4/de18e3e75a0e56534d9df5978bd2f43f950e1b4a/spring-web-6.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.0.4/de18e3e75a0e56534d9df5978bd2f43f950e1b4a/spring-web-6.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.0.4/de18e3e75a0e56534d9df5978bd2f43f950e1b4a/spring-web-6.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.0.4/de18e3e75a0e56534d9df5978bd2f43f950e1b4a/spring-web-6.0.4.jar

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-boot-starter-web version)	Remediation Possible**
CVE-2022-1471	High	8.3	snakeyaml-1.33.jar	Transitive	3.2.0	❌
CVE-2024-22262	High	8.1	spring-web-6.0.4.jar	Transitive	3.1.11	❌
CVE-2024-22259	High	8.1	spring-web-6.0.4.jar	Transitive	3.1.10	❌
CVE-2024-22243	High	8.1	spring-web-6.0.4.jar	Transitive	3.1.9	❌
CVE-2024-38816	High	7.5	spring-webmvc-6.0.4.jar	Transitive	3.2.10	❌
CVE-2024-34750	High	7.5	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	❌
CVE-2024-24549	High	7.5	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	❌
CVE-2024-23672	High	7.5	tomcat-embed-websocket-10.1.5.jar	Transitive	3.0.7	❌
CVE-2023-46589	High	7.5	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	❌
CVE-2023-44487	High	7.5	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	❌
CVE-2023-28709	High	7.5	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	❌
CVE-2023-20883	High	7.5	spring-boot-autoconfigure-3.0.2.jar	Transitive	3.0.7	❌
CVE-2023-20860	High	7.5	spring-webmvc-6.0.4.jar	Transitive	3.0.5	❌
CVE-2023-6378	High	7.1	logback-classic-1.4.5.jar	Transitive	3.0.7	❌
CVE-2023-20863	Medium	6.5	spring-expression-6.0.4.jar	Transitive	3.0.7	❌
CVE-2023-20861	Medium	6.5	spring-expression-6.0.4.jar	Transitive	3.0.5	❌
CVE-2023-41080	Medium	6.1	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	❌
CVE-2024-38286	Medium	5.5	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	❌
CVE-2024-38809	Medium	5.3	spring-web-6.0.4.jar	Transitive	3.2.0	❌
CVE-2023-45648	Medium	5.3	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	❌
CVE-2023-42795	Medium	5.3	tomcat-embed-core-10.1.5.jar	Transitive	3.0.7	❌
CVE-2023-34055	Medium	5.3	spring-boot-3.0.2.jar	Transitive	3.0.13	❌
CVE-2023-34053	Medium	5.3	spring-web-6.0.4.jar	Transitive	3.0.13	❌
CVE-2023-28708	Medium	4.3	tomcat-embed-core-10.1.5.jar	Transitive	3.0.5	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (18 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-1471

### Vulnerable Library - snakeyaml-1.33.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-3.0.2.jar - :x: **snakeyaml-1.33.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

### CVSS 3 Score Details (8.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution (org.yaml:snakeyaml): 2.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-22262

### Vulnerable Library - spring-web-6.0.4.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /firebase/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - :x: **spring-web-6.0.4.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-04-16

URL: CVE-2024-22262

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22262

Release Date: 2024-04-16

Fix Resolution (org.springframework:spring-web): 6.0.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.1.11

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-22259

### Vulnerable Library - spring-web-6.0.4.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /firebase/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - :x: **spring-web-6.0.4.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-03-16

URL: CVE-2024-22259

### CVSS 3 Score Details (8.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22259

Release Date: 2024-03-16

Fix Resolution (org.springframework:spring-web): 6.0.18

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.1.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-22243

### Vulnerable Library - spring-web-6.0.4.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /firebase/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - :x: **spring-web-6.0.4.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Publish Date: 2024-02-23

URL: CVE-2024-22243

### CVSS 3 Score Details (8.1)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22243

Release Date: 2024-02-23

Fix Resolution (org.springframework:spring-web): 6.0.17

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.1.9

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-38816

### Vulnerable Library - spring-webmvc-6.0.4.jar

Spring Web MVC

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /common/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.0.4/84ee8a9107480c92186ef8216ba0e1dca6ee1665/spring-webmvc-6.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.0.4/84ee8a9107480c92186ef8216ba0e1dca6ee1665/spring-webmvc-6.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.0.4/84ee8a9107480c92186ef8216ba0e1dca6ee1665/spring-webmvc-6.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.0.4/84ee8a9107480c92186ef8216ba0e1dca6ee1665/spring-webmvc-6.0.4.jar

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - :x: **spring-webmvc-6.0.4.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty

Publish Date: 2024-09-13

URL: CVE-2024-38816

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38816

Release Date: 2024-09-13

Fix Resolution (org.springframework:spring-webmvc): 6.1.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.10

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-34750

### Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-core-10.1.5.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Publish Date: 2024-07-03

URL: CVE-2024-34750

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l

Release Date: 2024-07-03

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.25

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-24549

### Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /hermes/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-core-10.1.5.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Publish Date: 2024-03-13

URL: CVE-2024-24549

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg

Release Date: 2024-03-13

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-23672

### Vulnerable Library - tomcat-embed-websocket-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /common/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.5/14529cbd593571dc9029272ddc9166b5ef113fc2/tomcat-embed-websocket-10.1.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.5/14529cbd593571dc9029272ddc9166b5ef113fc2/tomcat-embed-websocket-10.1.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.5/14529cbd593571dc9029272ddc9166b5ef113fc2/tomcat-embed-websocket-10.1.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.5/14529cbd593571dc9029272ddc9166b5ef113fc2/tomcat-embed-websocket-10.1.5.jar

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-websocket-10.1.5.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Publish Date: 2024-03-13

URL: CVE-2024-23672

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2024-03-13

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-websocket): 10.1.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-46589

### Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /hermes/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-core-10.1.5.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Publish Date: 2023-11-28

URL: CVE-2023-46589

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2023-11-28

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.16

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-44487

### Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /hermes/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-core-10.1.5.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-28709

### Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /hermes/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-core-10.1.5.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Publish Date: 2023-05-22

URL: CVE-2023-28709

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

Release Date: 2023-05-22

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.9

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-20883

### Vulnerable Library - spring-boot-autoconfigure-3.0.2.jar

Spring Boot AutoConfigure

Library home page: https://spring.io

Path to dependency file: /apns/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/3.0.2/42ad589ec930e05a2ed702a4940955ff97b16a8c/spring-boot-autoconfigure-3.0.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/3.0.2/42ad589ec930e05a2ed702a4940955ff97b16a8c/spring-boot-autoconfigure-3.0.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/3.0.2/42ad589ec930e05a2ed702a4940955ff97b16a8c/spring-boot-autoconfigure-3.0.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/3.0.2/42ad589ec930e05a2ed702a4940955ff97b16a8c/spring-boot-autoconfigure-3.0.2.jar

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-3.0.2.jar - :x: **spring-boot-autoconfigure-3.0.2.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Publish Date: 2023-05-26

URL: CVE-2023-20883

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20883

Release Date: 2023-05-26

Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 3.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-20860

### Vulnerable Library - spring-webmvc-6.0.4.jar

Spring Web MVC

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /common/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - :x: **spring-webmvc-6.0.4.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution (org.springframework:spring-webmvc): 6.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.5

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-6378

### Vulnerable Library - logback-classic-1.4.5.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /apns/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.4.5/28e7dc0b208d6c3f15beefd73976e064b4ecfa9b/logback-classic-1.4.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.4.5/28e7dc0b208d6c3f15beefd73976e064b4ecfa9b/logback-classic-1.4.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.4.5/28e7dc0b208d6c3f15beefd73976e064b4ecfa9b/logback-classic-1.4.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.4.5/28e7dc0b208d6c3f15beefd73976e064b4ecfa9b/logback-classic-1.4.5.jar

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-3.0.2.jar - spring-boot-starter-logging-3.0.2.jar - :x: **logback-classic-1.4.5.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution (ch.qos.logback:logback-classic): 1.4.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-20863

### Vulnerable Library - spring-expression-6.0.4.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /hermes/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/6.0.4/a908e6d3c46fcd6b58221d8427bbaf284bbbee0c/spring-expression-6.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/6.0.4/a908e6d3c46fcd6b58221d8427bbaf284bbbee0c/spring-expression-6.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/6.0.4/a908e6d3c46fcd6b58221d8427bbaf284bbbee0c/spring-expression-6.0.4.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/6.0.4/a908e6d3c46fcd6b58221d8427bbaf284bbbee0c/spring-expression-6.0.4.jar

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-webmvc-6.0.4.jar - :x: **spring-expression-6.0.4.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 6.0.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-20861

### Vulnerable Library - spring-expression-6.0.4.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /hermes/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-webmvc-6.0.4.jar - :x: **spring-expression-6.0.4.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 6.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.5

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2023-41080

### Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /hermes/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-core-10.1.5.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.

Publish Date: 2023-08-25

URL: CVE-2023-41080

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f

Release Date: 2023-08-25

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2024-38286

### Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /hermes/build.gradle

Dependency Hierarchy: - spring-boot-starter-web-3.0.2.jar (Root Library) - spring-boot-starter-tomcat-3.0.2.jar - :x: **tomcat-embed-core-10.1.5.jar** (Vulnerable Library)

Found in HEAD commit: 905bdcd8e650410512f9df12f3f9788d3e4cd03a

Found in base branch: main

### Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat, leading to Denial of Service (DoS).

Publish Date: 2024-06-12

URL: CVE-2024-38286

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2024/q3/264

Release Date: 2024-06-12

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.25

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.7

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

ls1intum / Hermes

spring-boot-starter-web-3.0.2.jar: 24 vulnerabilities (highest severity is: 8.3) - autoclosed #5

Vulnerabilities

Details