spring-boot-starter-data-jpa-2.7.1.jar: 3 vulnerabilities (highest severity is: 8.7) - autoclosed

[mend-for-github-com[bot]]

Vulnerable Library - spring-boot-starter-data-jpa-2.7.1.jar

Path to dependency file: /Users/oritabac/Documents/Demos/java-demo-up-webgoat/pom.xml

Path to vulnerable library: /Users/oritabac/.m2/repository/org/springframework/spring-webmvc/5.3.21/spring-webmvc-5.3.21.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-boot-starter-data-jpa version)	Remediation Possible**	Reachability
CVE-2023-20860	High	8.7	spring-webmvc-5.3.21.jar	Transitive	2.7.2	✅
CVE-2022-42004	High	8.7	jackson-databind-2.13.3.jar	Transitive	2.7.2	✅
CVE-2022-42003	High	8.7	jackson-databind-2.13.3.jar	Transitive	2.7.2	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-20860

### Vulnerable Library - spring-webmvc-5.3.21.jar

Spring Web MVC

Path to dependency file: /Users/oritabac/Documents/Demos/java-demo-up-webgoat/pom.xml

Path to vulnerable library: /Users/oritabac/.m2/repository/org/springframework/spring-webmvc/5.3.21/spring-webmvc-5.3.21.jar

Dependency Hierarchy: - spring-boot-starter-data-jpa-2.7.1.jar (Root Library) - spring-data-jpa-2.7.1.jar - spring-data-commons-2.7.1.jar - :x: **spring-webmvc-5.3.21.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution (org.springframework:spring-webmvc): 5.3.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-jpa): 2.7.2

In order to enable automatic remediation, please create workflow rules

CVE-2022-42004

### Vulnerable Library - jackson-databind-2.13.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Users/oritabac/Documents/Demos/java-demo-up-webgoat/pom.xml

Path to vulnerable library: /Users/oritabac/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.jar

Dependency Hierarchy: - spring-boot-starter-data-jpa-2.7.1.jar (Root Library) - spring-data-jpa-2.7.1.jar - spring-data-commons-2.7.1.jar - :x: **jackson-databind-2.13.3.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.13.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-jpa): 2.7.2

In order to enable automatic remediation, please create workflow rules

CVE-2022-42003

### Vulnerable Library - jackson-databind-2.13.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Users/oritabac/Documents/Demos/java-demo-up-webgoat/pom.xml

Path to vulnerable library: /Users/oritabac/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.13.3/jackson-databind-2.13.3.jar

Dependency Hierarchy: - spring-boot-starter-data-jpa-2.7.1.jar (Root Library) - spring-data-jpa-2.7.1.jar - spring-data-commons-2.7.1.jar - :x: **jackson-databind-2.13.3.jar** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Publish Date: 2022-10-02

URL: CVE-2022-42003

### CVSS 4 Score Details (8.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS4 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.13.4.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-jpa): 2.7.2

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.