*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to
implement remote procedure calls. Compared to SOAP, or JAX-RPC, it is stable, much simpler and easier to handle.
Version 3 of Apache XML-RPC introduces several important vendor extensions over the original XML-RPC
specification.
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-1000613
### Vulnerable Library - bcprov-jdk15on-1.58.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-25638
### Vulnerable Library - dnsjava-3.5.3.jar
dnsjava is an implementation of DNS in Java. It supports all defined record types (including the DNSSEC
types), and unknown types. It can be used for queries, zone transfers, and dynamic updates. It includes a cache
which can be used by clients, and a minimal implementation of a server. It supports TSIG authenticated messages,
partial DNSSEC verification, and EDNS0.
dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-38286
### Vulnerable Library - tomcat-embed-core-10.1.10.jar
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-1471
### Vulnerable Library - snakeyaml-1.33.jar
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-25710
### Vulnerable Library - commons-compress-1.24.0.jar
Apache Commons Compress defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4,
Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22262
### Vulnerable Library - spring-web-6.0.10.jar
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22259
### Vulnerable Library - spring-web-6.0.10.jar
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22243
### Vulnerable Library - spring-web-6.0.10.jar
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-38819
### Vulnerable Library - spring-webmvc-6.0.10.jar
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
This is similar to CVE-2024-38816, but with different input.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-38816
### Vulnerable Library - spring-webmvc-6.0.10.jar
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:
* the web application uses RouterFunctions to serve static resources
* resource handling is explicitly configured with a FileSystemResource location
However, malicious requests are blocked and rejected when any of the following is true:
* the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use
* the application runs on Tomcat or Jetty
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-34750
### Vulnerable Library - tomcat-embed-core-10.1.10.jar
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-30172
### Vulnerable Libraries - bcprov-jdk18on-1.76.jar, bcprov-jdk15on-1.58.jar
### bcprov-jdk18on-1.76.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Direct dependency fix Resolution (io.zahori:zahori-framework): 0.2.15_appium
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29857
### Vulnerable Libraries - bcprov-jdk15on-1.58.jar, bcprov-jdk18on-1.76.jar
### bcprov-jdk15on-1.58.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-24549
### Vulnerable Library - tomcat-embed-core-10.1.10.jar
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Direct dependency fix Resolution (io.zahori:zahori-framework): 0.2.15_appium
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-23672
### Vulnerable Library - tomcat-embed-websocket-10.1.10.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/10.1.10/tomcat-embed-websocket-10.1.10.jar,/pom.xml
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Direct dependency fix Resolution (io.zahori:zahori-framework): 0.2.15_appium
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-46589
### Vulnerable Library - tomcat-embed-core-10.1.10.jar
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
Direct dependency fix Resolution (io.zahori:zahori-framework): 0.2.15_appium
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-44487
### Vulnerable Libraries - netty-codec-http2-4.1.94.Final.jar, tomcat-embed-core-10.1.10.jar
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-17359
### Vulnerable Library - bcprov-jdk15on-1.58.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-1000180
### Vulnerable Library - bcprov-jdk15on-1.58.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar,/pom.xml
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-17570
### Vulnerable Library - xmlrpc-common-3.1.3.jarApache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Compared to SOAP, or JAX-RPC, it is stable, much simpler and easier to handle. Version 3 of Apache XML-RPC introduces several important vendor extensions over the original XML-RPC specification.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlrpc/xmlrpc-common/3.1.3/xmlrpc-common-3.1.3.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - testlink-java-api-1.9.16-1.jar - :x: **xmlrpc-common-3.1.3.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsAn untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.
Publish Date: 2020-01-23
URL: CVE-2019-17570
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-17570
Release Date: 2020-01-23
Fix Resolution: org.apache.xmlrpc:xmlrpc-common - 3.1.3-redhat-2,3.0b1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-1000613
### Vulnerable Library - bcprov-jdk15on-1.58.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsLegion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Publish Date: 2018-07-09
URL: CVE-2018-1000613
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613
Release Date: 2018-07-09
Fix Resolution: org.bouncycastle:bcprov-ext-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk15on:1.60,org.bouncycastle:bcprov-jdk14:1.60,org.bouncycastle:bcprov-jdk15on:1.60
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-25638
### Vulnerable Library - dnsjava-3.5.3.jardnsjava is an implementation of DNS in Java. It supports all defined record types (including the DNSSEC types), and unknown types. It can be used for queries, zone transfers, and dynamic updates. It includes a cache which can be used by clients, and a minimal implementation of a server. It supports TSIG authenticated messages, partial DNSSEC verification, and EDNS0.
Library home page: https://github.com/dnsjava/dnsjava
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **dnsjava-3.5.3.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability Detailsdnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.
Publish Date: 2024-07-22
URL: CVE-2024-25638
### CVSS 3 Score Details (8.9)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw
Release Date: 2024-07-22
Fix Resolution: dnsjava:dnsjava:3.6.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-38286
### Vulnerable Library - tomcat-embed-core-10.1.10.jarCore Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.10/tomcat-embed-core-10.1.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - spring-boot-starter-web-3.1.1.jar - spring-boot-starter-tomcat-3.1.1.jar - :x: **tomcat-embed-core-10.1.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsAllocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat, leading to Denial of Service (DoS).
Publish Date: 2024-11-07
URL: CVE-2024-38286
### CVSS 3 Score Details (8.6)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q3/264
Release Date: 2024-11-07
Fix Resolution: org.apache.tomcat:tomcat-coyote:9.0.90,10.1.25,11.0.0-M21, org.apache.tomcat.embed:tomcat-embed-core:9.0.90,10.1.25,11.0.0-M21
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2022-1471
### Vulnerable Library - snakeyaml-1.33.jarYAML 1.1 parser and emitter for Java
Library home page: https://bitbucket.org/snakeyaml/snakeyaml
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - :x: **snakeyaml-1.33.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsSnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Publish Date: 2022-12-01
URL: CVE-2022-1471
### CVSS 3 Score Details (8.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: 2022-12-01
Fix Resolution: org.yaml:snakeyaml:2.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-25710
### Vulnerable Library - commons-compress-1.24.0.jarApache Commons Compress defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - webdrivermanager-5.6.2.jar - docker-java-3.3.4.jar - docker-java-core-3.3.4.jar - :x: **commons-compress-1.24.0.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsLoop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue.
Publish Date: 2024-02-19
URL: CVE-2024-25710
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710
Release Date: 2024-02-19
Fix Resolution: org.apache.commons:commons-compress:1.26.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22262
### Vulnerable Library - spring-web-6.0.10.jarSpring Web
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.10/spring-web-6.0.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - alm-rest-client-0.1.4.jar - :x: **spring-web-6.0.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsApplications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-04-16
URL: CVE-2024-22262
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-22262
Release Date: 2024-04-16
Fix Resolution: org.springframework:spring-web:5.3.34;6.0.19,6.1.6
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22259
### Vulnerable Library - spring-web-6.0.10.jarSpring Web
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.10/spring-web-6.0.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - alm-rest-client-0.1.4.jar - :x: **spring-web-6.0.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsApplications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-03-16
URL: CVE-2024-22259
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-22259
Release Date: 2024-03-16
Fix Resolution: org.springframework:spring-web:5.3.33,6.0.18,6.1.5
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-22243
### Vulnerable Library - spring-web-6.0.10.jarSpring Web
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.10/spring-web-6.0.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - alm-rest-client-0.1.4.jar - :x: **spring-web-6.0.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsApplications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Publish Date: 2024-02-23
URL: CVE-2024-22243
### CVSS 3 Score Details (8.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-22243
Release Date: 2024-02-23
Fix Resolution: org.springframework:spring-web:5.3.32,6.0.17,6.1.4
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-38819
### Vulnerable Library - spring-webmvc-6.0.10.jarSpring Web MVC
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/6.0.10/spring-webmvc-6.0.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - spring-boot-starter-web-3.1.1.jar - :x: **spring-webmvc-6.0.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsApplications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. This is similar to CVE-2024-38816, but with different input.
Publish Date: 2024-06-20
URL: CVE-2024-38819
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-38819
Release Date: 2024-06-20
Fix Resolution: org.springframework:spring-webflux:6.1.14, org.springframework:spring-webmvc:6.1.14
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-38816
### Vulnerable Library - spring-webmvc-6.0.10.jarSpring Web MVC
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/6.0.10/spring-webmvc-6.0.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - spring-boot-starter-web-3.1.1.jar - :x: **spring-webmvc-6.0.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsApplications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running. Specifically, an application is vulnerable when both of the following are true: * the web application uses RouterFunctions to serve static resources * resource handling is explicitly configured with a FileSystemResource location However, malicious requests are blocked and rejected when any of the following is true: * the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use * the application runs on Tomcat or Jetty
Publish Date: 2024-09-13
URL: CVE-2024-38816
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://spring.io/security/cve-2024-38816
Release Date: 2024-09-13
Fix Resolution: org.springframework:spring-webflux:6.1.13, org.springframework:spring-webmvc:6.1.13
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-34750
### Vulnerable Library - tomcat-embed-core-10.1.10.jarCore Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.10/tomcat-embed-core-10.1.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - spring-boot-starter-web-3.1.1.jar - spring-boot-starter-tomcat-3.1.1.jar - :x: **tomcat-embed-core-10.1.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsImproper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Publish Date: 2024-07-03
URL: CVE-2024-34750
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
Release Date: 2024-07-03
Fix Resolution: org.apache.tomcat:tomcat-coyote:9.0.90,10.1.25,11.0.0-M21, org.apache.tomcat.embed:tomcat-embed-core:9.0.90,10.1.25,11.0.0-M21
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-30172
### Vulnerable Libraries - bcprov-jdk18on-1.76.jar, bcprov-jdk15on-1.58.jar### bcprov-jdk18on-1.76.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
Library home page: https://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - webdrivermanager-5.6.2.jar - docker-java-3.3.4.jar - docker-java-core-3.3.4.jar - bcpkix-jdk18on-1.76.jar - :x: **bcprov-jdk18on-1.76.jar** (Vulnerable Library) ### bcprov-jdk15on-1.58.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Publish Date: 2024-05-09
URL: CVE-2024-30172
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2024-30172
Release Date: 2024-03-24
Fix Resolution (org.bouncycastle:bcprov-jdk15on): 1.78
Direct dependency fix Resolution (io.zahori:zahori-framework): 0.2.15_appium
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29857
### Vulnerable Libraries - bcprov-jdk15on-1.58.jar, bcprov-jdk18on-1.76.jar### bcprov-jdk15on-1.58.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library) ### bcprov-jdk18on-1.76.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.
Library home page: https://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - webdrivermanager-5.6.2.jar - docker-java-3.3.4.jar - docker-java-core-3.3.4.jar - bcpkix-jdk18on-1.76.jar - :x: **bcprov-jdk18on-1.76.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Publish Date: 2024-05-14
URL: CVE-2024-29857
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-8xfc-gm6g-vgpv
Release Date: 2024-05-14
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-24549
### Vulnerable Library - tomcat-embed-core-10.1.10.jarCore Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.10/tomcat-embed-core-10.1.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - spring-boot-starter-web-3.1.1.jar - spring-boot-starter-tomcat-3.1.1.jar - :x: **tomcat-embed-core-10.1.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsDenial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Publish Date: 2024-03-13
URL: CVE-2024-24549
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
Release Date: 2024-03-13
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.19
Direct dependency fix Resolution (io.zahori:zahori-framework): 0.2.15_appium
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-23672
### Vulnerable Library - tomcat-embed-websocket-10.1.10.jarCore Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/10.1.10/tomcat-embed-websocket-10.1.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - spring-boot-starter-web-3.1.1.jar - spring-boot-starter-tomcat-3.1.1.jar - :x: **tomcat-embed-websocket-10.1.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsDenial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Publish Date: 2024-03-13
URL: CVE-2024-23672
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2024-03-13
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-websocket): 10.1.19
Direct dependency fix Resolution (io.zahori:zahori-framework): 0.2.15_appium
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-46589
### Vulnerable Library - tomcat-embed-core-10.1.10.jarCore Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.10/tomcat-embed-core-10.1.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - spring-boot-starter-web-3.1.1.jar - spring-boot-starter-tomcat-3.1.1.jar - :x: **tomcat-embed-core-10.1.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsImproper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
Publish Date: 2023-11-28
URL: CVE-2023-46589
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2023-11-28
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.16
Direct dependency fix Resolution (io.zahori:zahori-framework): 0.2.15_appium
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-44487
### Vulnerable Libraries - netty-codec-http2-4.1.94.Final.jar, tomcat-embed-core-10.1.10.jar### netty-codec-http2-4.1.94.Final.jar
Library home page: https://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.94.Final/netty-codec-http2-4.1.94.Final.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - browsermob-core-2.1.5.jar - littleproxy-1.1.0-beta-bmp-17.jar - netty-all-4.1.94.Final.jar - :x: **netty-codec-http2-4.1.94.Final.jar** (Vulnerable Library) ### tomcat-embed-core-10.1.10.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.10/tomcat-embed-core-10.1.10.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - spring-boot-starter-web-3.1.1.jar - spring-boot-starter-tomcat-3.1.1.jar - :x: **tomcat-embed-core-10.1.10.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2019-17359
### Vulnerable Library - bcprov-jdk15on-1.58.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsThe ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Publish Date: 2019-10-08
URL: CVE-2019-17359
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
Release Date: 2019-10-08
Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2018-1000180
### Vulnerable Library - bcprov-jdk15on-1.58.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar,/pom.xml
Dependency Hierarchy: - zahori-framework-0.2.15.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library)
Found in HEAD commit: b59d2372aa96c6aa560fe94833a1d50dcec164ce
Found in base branch: master
### Vulnerability DetailsBouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Publish Date: 2018-06-05
URL: CVE-2018-1000180
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180
Release Date: 2018-06-05
Fix Resolution: org.bouncycastle:bc-fips:1.0.2;org.bouncycastle:bcprov-jdk15on:1.60;org.bouncycastle:bcprov-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk15on:1.60;org.bouncycastle:bcprov-debug-jdk14:1.60;org.bouncycastle:bcprov-debug-jdk15on:1.60
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)