Open mend-bolt-for-github[bot] opened 9 months ago
Apache Struts 2
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.apache.struts/struts2-core/jars/struts2-core-2.3.20.jar
Dependency Hierarchy: - small-app_2.10-1.0-SNAPSHOT (Root Library) - :x: **struts2-core-2.3.20.jar** (Vulnerable Library)
Found in HEAD commit: 9505f4ca92405cc9273dc3726c2d274ce28a4407
Found in base branch: ALL_HANDS/major-secrets
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
Publish Date: 2023-06-14
URL: CVE-2023-34149
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-8f6x-v685-g2xc
Release Date: 2023-06-14
Fix Resolution: org.apache.struts:struts2-core:2.5.31,6.1.2.1
Step up your Open Source Security Game with Mend here
CVE-2023-34149 - Medium Severity Vulnerability
Vulnerable Library - struts2-core-2.3.20.jar
Apache Struts 2
Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.apache.struts/struts2-core/jars/struts2-core-2.3.20.jar
Dependency Hierarchy: - small-app_2.10-1.0-SNAPSHOT (Root Library) - :x: **struts2-core-2.3.20.jar** (Vulnerable Library)
Found in HEAD commit: 9505f4ca92405cc9273dc3726c2d274ce28a4407
Found in base branch: ALL_HANDS/major-secrets
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2. Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
Publish Date: 2023-06-14
URL: CVE-2023-34149
CVSS 3 Score Details (6.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-8f6x-v685-g2xc
Release Date: 2023-06-14
Fix Resolution: org.apache.struts:struts2-core:2.5.31,6.1.2.1
Step up your Open Source Security Game with Mend here