snowdensb / sonar-xanitizer

Integrates Xanitizer results into SonarQube
Apache License 2.0
0 stars 0 forks source link

spring-web-3.2.4.RELEASE.jar: 12 vulnerabilities (highest severity is: 9.6) - autoclosed #174

Closed mend-for-github-com[bot] closed 2 months ago

mend-for-github-com[bot] commented 6 months ago
Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-web version) Remediation Possible** Reachability
CVE-2015-5211 Critical 9.6 spring-web-3.2.4.RELEASE.jar Direct 3.2.15.RELEASE
CVE-2024-22262 High 8.1 spring-web-3.2.4.RELEASE.jar Direct 5.3.34
CVE-2024-22259 High 8.1 spring-web-3.2.4.RELEASE.jar Direct 5.3.33
CVE-2024-22243 High 8.1 spring-web-3.2.4.RELEASE.jar Direct 5.3.32
CVE-2018-1272 High 7.5 spring-web-3.2.4.RELEASE.jar Direct 4.2.0.RELEASE
CVE-2024-38809 Medium 6.5 spring-web-3.2.4.RELEASE.jar Direct org.springframework:spring-web:5.3.38,6.0.23,6.1.12
CVE-2020-5421 Medium 6.5 spring-web-3.2.4.RELEASE.jar Direct 4.3.29.RELEASE
CVE-2014-0225 Medium 5.6 spring-web-3.2.4.RELEASE.jar Direct 3.2.9.RELEASE
CVE-2015-3192 Medium 5.5 spring-web-3.2.4.RELEASE.jar Direct 3.2.14.RELEASE
CVE-2014-0054 Medium 5.3 spring-web-3.2.4.RELEASE.jar Direct 3.2.9.RELEASE
CVE-2013-6429 Medium 5.3 spring-web-3.2.4.RELEASE.jar Direct 3.2.5.RELEASE
CVE-2021-22096 Medium 4.3 spring-web-3.2.4.RELEASE.jar Direct 5.2.18.RELEASE

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2015-5211 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Publish Date: 2017-05-25

URL: CVE-2015-5211

### CVSS 3 Score Details (9.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5211

Release Date: 2017-05-25

Fix Resolution: 3.2.15.RELEASE

CVE-2024-22262 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-04-16

URL: CVE-2024-22262

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22262

Release Date: 2024-04-16

Fix Resolution: 5.3.34

CVE-2024-22259 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-03-16

URL: CVE-2024-22259

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22259

Release Date: 2024-03-16

Fix Resolution: 5.3.33

CVE-2024-22243 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

Publish Date: 2024-02-23

URL: CVE-2024-22243

### CVSS 3 Score Details (8.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22243

Release Date: 2024-02-23

Fix Resolution: 5.3.32

CVE-2018-1272 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2018-1272

Release Date: 2018-04-05

Fix Resolution: 4.2.0.RELEASE

CVE-2024-38809 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Spring Framework is vulnerable DoS via conditional HTTP request. Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to Denial of Service attack. All versions before 5.3.38, 6.0.23 and 6.1.12 are affected.

Publish Date: 2024-06-20

URL: CVE-2024-38809

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38809

Release Date: 2024-06-20

Fix Resolution: org.springframework:spring-web:5.3.38,6.0.23,6.1.12

CVE-2020-5421 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Publish Date: 2020-09-19

URL: CVE-2020-5421

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2020-5421

Release Date: 2020-09-19

Fix Resolution: 4.3.29.RELEASE

CVE-2014-0225 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Publish Date: 2017-05-25

URL: CVE-2014-0225

### CVSS 3 Score Details (5.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225

Release Date: 2017-05-25

Fix Resolution: 3.2.9.RELEASE

CVE-2015-3192 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Publish Date: 2016-07-12

URL: CVE-2015-3192

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3192

Release Date: 2016-07-12

Fix Resolution: 3.2.14.RELEASE

CVE-2014-0054 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Publish Date: 2014-04-17

URL: CVE-2014-0054

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0054

Release Date: 2014-04-17

Fix Resolution: 3.2.9.RELEASE

CVE-2013-6429 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Publish Date: 2014-01-26

URL: CVE-2013-6429

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6429

Release Date: 2014-01-26

Fix Resolution: 3.2.5.RELEASE

CVE-2021-22096 ### Vulnerable Library - spring-web-3.2.4.RELEASE.jar

Spring Web

Library home page: https://github.com/SpringSource/spring-framework

Path to vulnerable library: /src/test/resources/webgoat/WEB-INF/lib/spring-web-3.2.4.RELEASE.jar

Dependency Hierarchy: - :x: **spring-web-3.2.4.RELEASE.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution: 5.2.18.RELEASE

mend-for-github-com[bot] commented 2 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.