Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.7.1/spring-boot-autoconfigure-2.7.1.jar
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
* the application uses Spring MVC or Spring WebFlux
* org.springframework.boot:spring-boot-actuator is on the classpath
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:
* The application evaluates user-supplied SpEL expressions.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/2.7.1/spring-boot-2.7.1.jar
Found in HEAD commit: 9b79a1aa78a8814e440d0b0615a4719082223c34
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-20883
### Vulnerable Library - spring-boot-autoconfigure-2.7.1.jarSpring Boot AutoConfigure
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.7.1/spring-boot-autoconfigure-2.7.1.jar
Dependency Hierarchy: - spring-boot-starter-validation-2.7.1.jar (Root Library) - spring-boot-starter-2.7.1.jar - :x: **spring-boot-autoconfigure-2.7.1.jar** (Vulnerable Library)
Found in HEAD commit: 9b79a1aa78a8814e440d0b0615a4719082223c34
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.container.WebSecurityConfig (Application) -> org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration$1 (Extension) -> org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$OptionalPathExtensionContentNegotiationStrategy (Extension) -> org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration (Extension) -> ❌ org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfiguration (Vulnerable Component) ``` ### Vulnerability DetailsIn Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
Publish Date: 2023-05-26
URL: CVE-2023-20883
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (8.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2023-20883
Release Date: 2023-05-26
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 2.7.12
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 2.7.12
In order to enable automatic remediation, please create workflow rules
CVE-2023-6378
### Vulnerable Library - logback-classic-1.2.11.jarlogback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.11/logback-classic-1.2.11.jar
Dependency Hierarchy: - spring-boot-starter-validation-2.7.1.jar (Root Library) - spring-boot-starter-2.7.1.jar - spring-boot-starter-logging-2.7.1.jar - :x: **logback-classic-1.2.11.jar** (Vulnerable Library)
Found in HEAD commit: 9b79a1aa78a8814e440d0b0615a4719082223c34
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.lessons.logging.LogBleedingTask (Application) -> org.slf4j.LoggerFactory (Extension) -> org.slf4j.impl.StaticLoggerBinder (Extension) -> ch.qos.logback.classic.joran.JoranConfigurator (Extension) ... -> ch.qos.logback.classic.net.SocketAppender (Extension) -> ch.qos.logback.classic.net.LoggingEventPreSerializationTransformer (Extension) -> ❌ ch.qos.logback.classic.spi.LoggingEventVO (Vulnerable Component) ``` ### Vulnerability DetailsA serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.
Publish Date: 2023-11-29
URL: CVE-2023-6378
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (8.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://logback.qos.ch/news.html#1.3.12
Release Date: 2023-11-29
Fix Resolution (ch.qos.logback:logback-classic): 1.2.13
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 3.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2023-20863
### Vulnerable Library - spring-expression-5.3.21.jarSpring Expression Language (SpEL)
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.21/spring-expression-5.3.21.jar
Dependency Hierarchy: - spring-boot-starter-validation-2.7.1.jar (Root Library) - spring-boot-starter-2.7.1.jar - spring-boot-2.7.1.jar - spring-context-5.3.21.jar - :x: **spring-expression-5.3.21.jar** (Vulnerable Library)
Found in HEAD commit: 9b79a1aa78a8814e440d0b0615a4719082223c34
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.container.WebSecurityConfig (Application) -> org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser$AuthenticationManagerDelegator (Extension) -> org.springframework.security.config.method.GlobalMethodSecurityBeanDefinitionParser (Extension) -> org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice (Extension) ... -> org.springframework.security.access.expression.method.AbstractExpressionBasedMethodConfigAttribute (Extension) -> org.springframework.expression.spel.standard.SpelExpressionParser (Extension) -> ❌ org.springframework.expression.spel.standard.InternalSpelExpressionParser (Vulnerable Component) ``` ### Vulnerability DetailsIn spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-04-13
URL: CVE-2023-20863
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.3%
### CVSS 4 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2023-20863
Release Date: 2023-04-13
Fix Resolution (org.springframework:spring-expression): 5.3.27
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 2.7.12
In order to enable automatic remediation, please create workflow rules
CVE-2023-20861
### Vulnerable Library - spring-expression-5.3.21.jarSpring Expression Language (SpEL)
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.21/spring-expression-5.3.21.jar
Dependency Hierarchy: - spring-boot-starter-validation-2.7.1.jar (Root Library) - spring-boot-starter-2.7.1.jar - spring-boot-2.7.1.jar - spring-context-5.3.21.jar - :x: **spring-expression-5.3.21.jar** (Vulnerable Library)
Found in HEAD commit: 9b79a1aa78a8814e440d0b0615a4719082223c34
Found in base branch: main
### Reachability Analysis This vulnerability is potentially reachable ``` org.owasp.webgoat.container.WebSecurityConfig (Application) -> org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter (Extension) -> org.springframework.security.config.annotation.web.builders.WebSecurity (Extension) -> org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler (Extension) ... -> org.springframework.expression.spel.standard.SpelExpressionParser (Extension) -> org.springframework.expression.spel.standard.InternalSpelExpressionParser (Extension) -> ❌ org.springframework.expression.spel.ast.OperatorMatches (Vulnerable Component) ``` ### Vulnerability DetailsIn Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-03-23
URL: CVE-2023-20861
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.1%
### CVSS 4 Score Details (7.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2023-20861
Release Date: 2023-03-23
Fix Resolution (org.springframework:spring-expression): 5.3.26
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 2.7.10
In order to enable automatic remediation, please create workflow rules
CVE-2023-34055
### Vulnerable Library - spring-boot-2.7.1.jarSpring Boot
Library home page: https://spring.io/projects/spring-boot
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/2.7.1/spring-boot-2.7.1.jar
Dependency Hierarchy: - spring-boot-starter-validation-2.7.1.jar (Root Library) - spring-boot-starter-2.7.1.jar - :x: **spring-boot-2.7.1.jar** (Vulnerable Library)
Found in HEAD commit: 9b79a1aa78a8814e440d0b0615a4719082223c34
Found in base branch: main
### Reachability AnalysisThe vulnerable code is unreachable
### Vulnerability DetailsIn Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC or Spring WebFlux * org.springframework.boot:spring-boot-actuator is on the classpath
Publish Date: 2023-11-28
URL: CVE-2023-34055
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (6.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2023-34055
Release Date: 2023-11-28
Fix Resolution (org.springframework.boot:spring-boot): 2.7.18
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 2.7.18
In order to enable automatic remediation, please create workflow rules
CVE-2024-38808
### Vulnerable Library - spring-expression-5.3.21.jarSpring Expression Language (SpEL)
Library home page: https://github.com/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.21/spring-expression-5.3.21.jar
Dependency Hierarchy: - spring-boot-starter-validation-2.7.1.jar (Root Library) - spring-boot-starter-2.7.1.jar - spring-boot-2.7.1.jar - spring-context-5.3.21.jar - :x: **spring-expression-5.3.21.jar** (Vulnerable Library)
Found in HEAD commit: 9b79a1aa78a8814e440d0b0615a4719082223c34
Found in base branch: main
### Vulnerability DetailsIn Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition. Specifically, an application is vulnerable when the following is true: * The application evaluates user-supplied SpEL expressions.
Publish Date: 2024-08-20
URL: CVE-2024-38808
### Threat AssessmentExploit Maturity: Not Defined
EPSS: 0.0%
### CVSS 4 Score Details (5.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS4 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-38808
Release Date: 2024-08-20
Fix Resolution (org.springframework:spring-expression): 5.3.39
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 3.0.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules