search

pferron / maven-pom

0 stars 0 forks source link

spring-boot-starter-web-2.6.14.jar: 29 vulnerabilities (highest severity is: 9.8) #6

Open mend-for-github-com[bot] opened 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - spring-boot-starter-web-2.6.14.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.24/spring-expression-5.3.24.jar

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-boot-starter-web version) Remediation Possible**
CVE-2024-52316 Critical 9.8 tomcat-embed-core-9.0.69.jar Transitive 3.0.0
CVE-2024-38286 High 8.6 tomcat-embed-core-9.0.69.jar Transitive 3.0.0
CVE-2022-1471 High 8.3 snakeyaml-1.29.jar Transitive 3.2.0
CVE-2024-38819 High 7.5 spring-webmvc-5.3.24.jar Transitive 3.2.11
CVE-2024-38816 High 7.5 spring-webmvc-5.3.24.jar Transitive 3.2.10
CVE-2024-34750 High 7.5 tomcat-embed-core-9.0.69.jar Transitive 3.0.0
CVE-2024-24549 High 7.5 tomcat-embed-core-9.0.69.jar Transitive 3.0.0
CVE-2023-46589 High 7.5 tomcat-embed-core-9.0.69.jar Transitive 2.7.18
CVE-2023-44487 High 7.5 tomcat-embed-core-9.0.69.jar Transitive N/A*
CVE-2023-24998 High 7.5 tomcat-embed-core-9.0.69.jar Transitive 2.6.15
CVE-2023-20883 High 7.5 spring-boot-autoconfigure-2.6.14.jar Transitive 2.6.15
CVE-2023-20860 High 7.5 spring-webmvc-5.3.24.jar Transitive 2.6.15
CVE-2022-25857 High 7.5 snakeyaml-1.29.jar Transitive 3.0.0
CVE-2023-6378 High 7.1 logback-classic-1.2.11.jar Transitive 3.2.1
CVE-2024-52317 Medium 6.5 tomcat-embed-core-9.0.69.jar Transitive 3.0.0
CVE-2023-20863 Medium 6.5 spring-expression-5.3.24.jar Transitive 2.6.15
CVE-2023-20861 Medium 6.5 spring-expression-5.3.24.jar Transitive 2.6.15
CVE-2022-38752 Medium 6.5 snakeyaml-1.29.jar Transitive 3.0.0
CVE-2022-38751 Medium 6.5 snakeyaml-1.29.jar Transitive 3.0.0
CVE-2022-38750 Medium 6.5 snakeyaml-1.29.jar Transitive 3.0.0
CVE-2022-38749 Medium 6.5 snakeyaml-1.29.jar Transitive 3.0.0
CVE-2024-23672 Medium 6.3 tomcat-embed-websocket-9.0.69.jar Transitive 3.0.0
CVE-2023-41080 Medium 6.1 tomcat-embed-core-9.0.69.jar Transitive 2.7.16
CVE-2022-41854 Medium 5.8 snakeyaml-1.29.jar Transitive 3.0.0
CVE-2023-45648 Medium 5.3 tomcat-embed-core-9.0.69.jar Transitive 2.7.17
CVE-2023-42795 Medium 5.3 tomcat-embed-core-9.0.69.jar Transitive 2.7.17
CVE-2024-38808 Medium 4.3 spring-expression-5.3.24.jar Transitive 3.0.0
CVE-2023-28708 Medium 4.3 tomcat-embed-core-9.0.69.jar Transitive 2.6.15
CVE-2024-38820 Low 3.1 spring-context-5.3.24.jar Transitive 3.2.11

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (23 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-52316 ### Vulnerable Library - tomcat-embed-core-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.69/tomcat-embed-core-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-core-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Publish Date: 2024-11-18

URL: CVE-2024-52316

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-11-18

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.96

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-38286 ### Vulnerable Library - tomcat-embed-core-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.69/tomcat-embed-core-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-core-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat, leading to Denial of Service (DoS).

Publish Date: 2024-11-07

URL: CVE-2024-38286

### CVSS 3 Score Details (8.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2024/q3/264

Release Date: 2024-11-07

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.90

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-1471 ### Vulnerable Library - snakeyaml-1.29.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-2.6.14.jar - :x: **snakeyaml-1.29.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

### CVSS 3 Score Details (8.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution (org.yaml:snakeyaml): 2.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-38819 ### Vulnerable Library - spring-webmvc-5.3.24.jar

Spring Web MVC

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.24/spring-webmvc-5.3.24.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - :x: **spring-webmvc-5.3.24.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. This is similar to CVE-2024-38816, but with different input.

Publish Date: 2024-06-20

URL: CVE-2024-38819

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38819

Release Date: 2024-06-20

Fix Resolution (org.springframework:spring-webmvc): 6.1.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.11

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-38816 ### Vulnerable Library - spring-webmvc-5.3.24.jar

Spring Web MVC

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.24/spring-webmvc-5.3.24.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - :x: **spring-webmvc-5.3.24.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use * the application runs on Tomcat or Jetty

Publish Date: 2024-09-13

URL: CVE-2024-38816

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38816

Release Date: 2024-09-13

Fix Resolution (org.springframework:spring-webmvc): 6.1.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.10

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-34750 ### Vulnerable Library - tomcat-embed-core-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.69/tomcat-embed-core-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-core-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Publish Date: 2024-07-03

URL: CVE-2024-34750

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l

Release Date: 2024-07-03

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.90

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-24549 ### Vulnerable Library - tomcat-embed-core-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.69/tomcat-embed-core-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-core-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Publish Date: 2024-03-13

URL: CVE-2024-24549

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg

Release Date: 2024-03-13

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.86

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-46589 ### Vulnerable Library - tomcat-embed-core-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.69/tomcat-embed-core-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-core-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Publish Date: 2023-11-28

URL: CVE-2023-46589

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2023-11-28

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.83

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-44487 ### Vulnerable Library - tomcat-embed-core-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.69/tomcat-embed-core-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-core-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0, kubernetes/apiserver- v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0

CVE-2023-24998 ### Vulnerable Library - tomcat-embed-core-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.69/tomcat-embed-core-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-core-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Publish Date: 2023-02-20

URL: CVE-2023-24998

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-10.html

Release Date: 2023-02-20

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.71

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.15

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-20883 ### Vulnerable Library - spring-boot-autoconfigure-2.6.14.jar

Spring Boot AutoConfigure

Library home page: https://spring.io

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.6.14/spring-boot-autoconfigure-2.6.14.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-2.6.14.jar - :x: **spring-boot-autoconfigure-2.6.14.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Publish Date: 2023-05-26

URL: CVE-2023-20883

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20883

Release Date: 2023-05-26

Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 2.6.15

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.15

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-20860 ### Vulnerable Library - spring-webmvc-5.3.24.jar

Spring Web MVC

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.24/spring-webmvc-5.3.24.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - :x: **spring-webmvc-5.3.24.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution (org.springframework:spring-webmvc): 5.3.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.15

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-25857 ### Vulnerable Library - snakeyaml-1.29.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-2.6.14.jar - :x: **snakeyaml-1.29.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-6378 ### Vulnerable Library - logback-classic-1.2.11.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.11/logback-classic-1.2.11.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-2.6.14.jar - spring-boot-starter-logging-2.6.14.jar - :x: **logback-classic-1.2.11.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

### CVSS 3 Score Details (7.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution (ch.qos.logback:logback-classic): 1.2.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-52317 ### Vulnerable Library - tomcat-embed-core-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.69/tomcat-embed-core-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-core-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

Publish Date: 2024-11-18

URL: CVE-2024-52317

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-11-18

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.96

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-20863 ### Vulnerable Library - spring-expression-5.3.24.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.24/spring-expression-5.3.24.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-webmvc-5.3.24.jar - :x: **spring-expression-5.3.24.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.3.27

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.15

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-20861 ### Vulnerable Library - spring-expression-5.3.24.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.24/spring-expression-5.3.24.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-webmvc-5.3.24.jar - :x: **spring-expression-5.3.24.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.3.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.15

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-38752 ### Vulnerable Library - snakeyaml-1.29.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-2.6.14.jar - :x: **snakeyaml-1.29.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-38751 ### Vulnerable Library - snakeyaml-1.29.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-2.6.14.jar - :x: **snakeyaml-1.29.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-38750 ### Vulnerable Library - snakeyaml-1.29.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-2.6.14.jar - :x: **snakeyaml-1.29.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-38749 ### Vulnerable Library - snakeyaml-1.29.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.29/snakeyaml-1.29.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-2.6.14.jar - :x: **snakeyaml-1.29.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-23672 ### Vulnerable Library - tomcat-embed-websocket-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/9.0.69/tomcat-embed-websocket-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-websocket-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Publish Date: 2024-03-13

URL: CVE-2024-23672

### CVSS 3 Score Details (6.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2024-03-13

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-websocket): 9.0.86

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-41080 ### Vulnerable Library - tomcat-embed-core-9.0.69.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.69/tomcat-embed-core-9.0.69.jar

Dependency Hierarchy: - spring-boot-starter-web-2.6.14.jar (Root Library) - spring-boot-starter-tomcat-2.6.14.jar - :x: **tomcat-embed-core-9.0.69.jar** (Vulnerable Library)

Found in HEAD commit: 3efaef4ed0943679ff668886e2a072100ec94832

Found in base branch: main

### Vulnerability Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.

Publish Date: 2023-08-25

URL: CVE-2023-41080

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f

Release Date: 2023-08-25

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.80

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.16

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.