spring-boot-dependencies-3.0.4.pom: 38 vulnerabilities (highest severity is: 9.3) reachable

[mend-for-github-com]

Vulnerable Library - spring-boot-dependencies-3.0.4.pom

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.6/spring-web-6.0.6.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.0.6/2916961032e54aaeb534a290530b7b69e297bfcc/spring-web-6.0.6.jar

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-boot-dependencies version)	Remediation Possible**	Reachability
CVE-2024-52316	Critical	9.3	Not Defined	0.0%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2024-38819	High	8.7	Not Defined	0.0%	spring-webmvc-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2024-38816	High	8.7	Not Defined	0.1%	spring-webmvc-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2024-34750	High	8.7	Not Defined	0.0%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-46589	High	8.7	Not Defined	0.6%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-28709	High	8.7	Not Defined	1.7%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-20860	High	8.7	Not Defined	0.1%	spring-webmvc-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2022-1471	High	8.7	Not Defined	2.4%	snakeyaml-1.33.jar	Transitive	N/A*	❌	Reachable
CVE-2024-22262	High	8.6	Not Defined	0.1%	spring-web-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2024-22259	High	8.6	Not Defined	0.1%	spring-web-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2024-22243	High	8.6	Not Defined	0.1%	spring-web-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2023-6378	High	8.2	Not Defined	0.1%	logback-classic-1.4.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-1370	High	8.2	Not Defined	0.1%	json-smart-2.4.8.jar	Transitive	N/A*	❌	Reachable
CVE-2024-38286	High	7.7	Not Defined	0.3%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2024-56337	High	7.2	Not Defined	0.0%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2024-50379	High	7.2	Not Defined	0.0%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-20863	High	7.1	Not Defined	0.2%	spring-expression-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2023-20861	High	7.1	Not Defined	0.1%	spring-expression-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2024-52317	Medium	6.9	Not Defined	0.0%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2024-38809	Medium	6.9	Not Defined	0.0%	spring-web-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2023-45648	Medium	6.9	Not Defined	0.4%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-44487	Medium	6.9	High	85.6%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-42795	Medium	6.9	Not Defined	1.4000001%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-34053	Medium	6.9	Not Defined	0.1%	spring-web-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2024-24549	Medium	6.6	Not Defined	0.0%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-51074	Medium	6.3	Not Defined	0.1%	json-path-2.7.0.jar	Transitive	N/A*	❌	Reachable
CVE-2023-41080	Medium	5.3	Not Defined	0.5%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2023-28708	Medium	5.3	Not Defined	0.1%	tomcat-embed-core-10.1.5.jar	Transitive	N/A*	❌	Reachable
CVE-2024-38820	Low	2.3	Not Defined	0.1%	spring-context-6.0.6.jar	Transitive	N/A*	❌	Reachable
CVE-2023-20873	Critical	9.3	Not Defined	0.70000005%	spring-boot-actuator-autoconfigure-3.0.4.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-20883	High	8.7	Not Defined	0.1%	spring-boot-autoconfigure-3.0.4.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-38286	High	7.7	Not Defined	0.1%	thymeleaf-3.1.1.RELEASE.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-34055	Medium	6.9	Not Defined	0.1%	spring-boot-actuator-3.0.4.jar	Transitive	N/A*	❌	Unreachable
CVE-2024-31573	Medium	6.3	Not Defined		xmlunit-core-2.9.1.jar	Transitive	N/A*	❌	Unreachable
CVE-2024-23672	Medium	5.3	Not Defined	0.0%	tomcat-embed-websocket-10.1.5.jar	Transitive	N/A*	❌	Unreachable
WS-2022-0468	High	8.7	Not Defined		jackson-core-2.14.2.jar	Transitive	N/A*	❌
CVE-2024-12798	Medium	5.9	Not Defined	0.1%	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2024-12801	Low	2.4	Not Defined	0.0%	logback-core-1.4.5.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (14 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-52316

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.5/tomcat-embed-core-10.1.5.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.owner.OwnerController (Application)
  -> org.springframework.validation.BindingResult (Extension)
   -> org.springframework.validation.beanvalidation.SpringValidatorAdapter$ViolationFieldError (Extension)
    -> org.apache.catalina.core.ApplicationContext (Extension)
    ...
      -> org.apache.coyote.http11.Http11NioProtocol (Extension)
       -> org.apache.catalina.connector.CoyoteAdapter (Extension)
        -> ❌ org.apache.catalina.authenticator.AuthenticatorBase (Vulnerable Component)

Vulnerability Details

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Publish Date: 2024-11-18

URL: CVE-2024-52316

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (9.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-11-18

Fix Resolution: org.apache.tomcat:tomcat-catalina:9.0.96,10.1.31,11.0.0, org.apache.tomcat.embed:tomcat-embed-core:9.0.96,10.1.31,11.0.0

CVE-2024-38819

Vulnerable Library - spring-webmvc-6.0.6.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.0.6/302580efc981ad6797a85814ea0996e2149bb420/spring-webmvc-6.0.6.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/6.0.6/spring-webmvc-6.0.6.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ spring-webmvc-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
    -> org.springframework.web.servlet.function.DefaultEntityResponseBuilder$DefaultEntityResponse (Extension)
    ...
      -> org.springframework.web.servlet.mvc.method.annotation.AbstractMessageConverterMethodProcessor (Extension)
       -> org.springframework.web.servlet.function.support.RouterFunctionMapping (Extension)
        -> ❌ org.springframework.web.servlet.resource.ResourceHttpRequestHandler (Vulnerable Component)

Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

This is similar to CVE-2024-38816, but with different input.

Publish Date: 2024-12-19

URL: CVE-2024-38819

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38819

Release Date: 2024-12-19

Fix Resolution: org.springframework:spring-webflux:6.1.14, org.springframework:spring-webmvc:6.1.14

CVE-2024-38816

Vulnerable Library - spring-webmvc-6.0.6.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.0.6/302580efc981ad6797a85814ea0996e2149bb420/spring-webmvc-6.0.6.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/6.0.6/spring-webmvc-6.0.6.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ spring-webmvc-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.context.annotation.ComponentScan (Extension)
    -> org.springframework.web.servlet.function.ResourceHandlerFunction$HeadMethodResource (Extension)
    ...
      -> org.springframework.web.servlet.function.ErrorHandlingServerResponse (Extension)
       -> org.springframework.web.servlet.function.RouterFunctions (Extension)
        -> ❌ org.springframework.web.servlet.function.PathResourceLookupFunction (Vulnerable Component)

Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Specifically, an application is vulnerable when both of the following are true:

• the web application uses RouterFunctions to serve static resources
• resource handling is explicitly configured with a FileSystemResource location

However, malicious requests are blocked and rejected when any of the following is true:

• the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use
• the application runs on Tomcat or Jetty

Publish Date: 2024-09-13

URL: CVE-2024-38816

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38816

Release Date: 2024-09-13

Fix Resolution: org.springframework:spring-webflux:6.1.13, org.springframework:spring-webmvc:6.1.13

CVE-2024-34750

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.5/tomcat-embed-core-10.1.5.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.owner.OwnerController (Application)
  -> org.springframework.data.domain.Page (Extension)
   -> org.springframework.data.domain.Sort (Extension)
    -> org.apache.catalina.session.StandardSession (Extension)
    ...
      -> org.apache.catalina.core.ThreadLocalLeakPreventionListener (Extension)
       -> org.apache.coyote.http11.AbstractHttp11Protocol (Extension)
        -> ❌ org.apache.coyote.http2.Http2UpgradeHandler (Vulnerable Component)

Vulnerability Details

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Publish Date: 2024-07-03

URL: CVE-2024-34750

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l

Release Date: 2024-07-03

Fix Resolution: org.apache.tomcat:tomcat-coyote:9.0.90,10.1.25,11.0.0-M21, org.apache.tomcat.embed:tomcat-embed-core:9.0.90,10.1.25,11.0.0-M21

CVE-2023-46589

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.5/tomcat-embed-core-10.1.5.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.owner.OwnerController (Application)
  -> org.springframework.validation.BindingResult (Extension)
   -> org.springframework.validation.beanvalidation.SpringValidatorAdapter$ViolationFieldError (Extension)
    -> org.apache.catalina.startup.EngineRuleSet (Extension)
    ...
      -> org.apache.catalina.startup.EngineConfig (Extension)
       -> org.apache.catalina.valves.rewrite.RewriteValve (Extension)
        -> ❌ org.apache.catalina.connector.Request (Vulnerable Component)

Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

Publish Date: 2023-11-28

URL: CVE-2023-46589

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2023-11-28

Fix Resolution: org.apache.tomcat:tomcat-coyote:8.5.96,9.0.83,10.1.16,11.0.0-M11, org.apache.tomcat.embed:tomcat-embed-core:8.5.96,9.0.83,10.1.16,11.0.0-M11, org.apache.tomcat:tomcat-catalina:8.5.96,9.0.83,10.1.16,11.0.0-M11

CVE-2023-28709

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.5/tomcat-embed-core-10.1.5.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.owner.OwnerController (Application)
  -> org.springframework.web.bind.WebDataBinder (Extension)
   -> org.springframework.validation.DataBinder (Extension)
    -> org.apache.catalina.mbeans.UserMBean (Extension)
    ...
      -> org.apache.catalina.Host (Extension)
       -> org.apache.catalina.connector.Request (Extension)
        -> ❌ org.apache.tomcat.util.http.Parameters (Vulnerable Component)

Vulnerability Details

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

Publish Date: 2023-05-22

URL: CVE-2023-28709

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.7%

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j

Release Date: 2023-05-22

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:8.5.88,9.0.74,10.1.8 ,11.0.0-M5;org.apache.tomcat:tomcat-coyote:8.5.88,9.0.74,10.1.8 ,11.0.0-M5

CVE-2023-20860

Vulnerable Library - spring-webmvc-6.0.6.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.0.6/302580efc981ad6797a85814ea0996e2149bb420/spring-webmvc-6.0.6.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/6.0.6/spring-webmvc-6.0.6.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ spring-webmvc-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
    -> org.springframework.web.servlet.function.ResourceHandlerFunction (Extension)
    ...
      -> org.springframework.web.servlet.mvc.method.annotation.AbstractMessageConverterMethodProcessor$1 (Extension)
       -> org.springframework.web.servlet.mvc.method.annotation.AbstractMessageConverterMethodProcessor (Extension)
        -> ❌ org.springframework.web.servlet.handler.PathPatternMatchableHandlerMapping (Vulnerable Component)

Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution: org.springframework:spring-webmvc:5.3.26,6.0.7

CVE-2022-1471

Vulnerable Library - snakeyaml-1.33.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ snakeyaml-1.33.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.beans.factory.support.BeanNameGenerator (Extension)
    -> org.springframework.beans.factory.config.BeanDefinition (Extension)
    ...
      -> org.springframework.beans.factory.config.YamlMapFactoryBean (Extension)
       -> org.yaml.snakeyaml.Yaml (Extension)
        -> ❌ org.yaml.snakeyaml.LoaderOptions (Vulnerable Component)

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 2.4%

CVSS 4 Score Details (8.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

CVE-2024-22262

Vulnerable Library - spring-web-6.0.6.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.6/spring-web-6.0.6.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.0.6/2916961032e54aaeb534a290530b7b69e297bfcc/spring-web-6.0.6.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ spring-web-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
    -> org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext (Extension)
    ...
      -> org.springframework.web.context.request.ServletWebRequest (Extension)
       -> org.springframework.web.util.WebUtils (Extension)
        -> ❌ org.springframework.web.util.UriComponentsBuilder (Vulnerable Component)

Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-04-16

URL: CVE-2024-22262

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22262

Release Date: 2024-04-16

Fix Resolution: org.springframework:spring-web:5.3.34;6.0.19,6.1.6

CVE-2024-22259

Vulnerable Library - spring-web-6.0.6.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.6/spring-web-6.0.6.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.0.6/2916961032e54aaeb534a290530b7b69e297bfcc/spring-web-6.0.6.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ spring-web-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
    -> org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext (Extension)
    ...
      -> org.springframework.web.context.request.ServletWebRequest (Extension)
       -> org.springframework.web.util.WebUtils (Extension)
        -> ❌ org.springframework.web.util.UriComponentsBuilder (Vulnerable Component)

Vulnerability Details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-03-16

URL: CVE-2024-22259

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22259

Release Date: 2024-03-16

Fix Resolution: org.springframework:spring-web:5.3.33,6.0.18,6.1.5

CVE-2024-22243

Vulnerable Library - spring-web-6.0.6.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.6/spring-web-6.0.6.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/6.0.6/2916961032e54aaeb534a290530b7b69e297bfcc/spring-web-6.0.6.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ spring-web-6.0.6.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
    -> org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext (Extension)
    ...
      -> org.springframework.web.context.request.ServletWebRequest (Extension)
       -> org.springframework.web.util.WebUtils (Extension)
        -> ❌ org.springframework.web.util.UriComponentsBuilder (Vulnerable Component)

Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

Publish Date: 2024-02-23

URL: CVE-2024-22243

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: N/A
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22243

Release Date: 2024-02-23

Fix Resolution: org.springframework:spring-web:5.3.32,6.0.17,6.1.4

CVE-2023-6378

Vulnerable Library - logback-classic-1.4.5.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.4.5/28e7dc0b208d6c3f15beefd73976e064b4ecfa9b/logback-classic-1.4.5.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ logback-classic-1.4.5.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.SpringApplication (Extension)
   -> org.springframework.boot.web.servlet.support.SpringBootServletInitializer$WebEnvironmentPropertySourceInitializer (Extension)
    -> ch.qos.logback.classic.joran.JoranConfigurator (Extension)
    ...
      -> ch.qos.logback.classic.net.SocketAppender (Extension)
       -> ch.qos.logback.classic.net.LoggingEventPreSerializationTransformer (Extension)
        -> ❌ ch.qos.logback.classic.spi.LoggingEventVO (Vulnerable Component)

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution: ch.qos.logback:logback-classic:1.3.12,1.4.12

CVE-2023-1370

Vulnerable Library - json-smart-2.4.8.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: https://urielch.github.io/

Path to dependency file: /build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.4.8/7c62f5f72ab05eb54d40e2abf0360a2fe9ea477f/json-smart-2.4.8.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ json-smart-2.4.8.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.PetClinicApplication (Application)
  -> org.springframework.boot.SpringApplication (Extension)
   -> org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
    -> com.jayway.jsonpath.internal.path.RootPathToken (Extension)
    ...
      -> com.jayway.jsonpath.spi.json.JsonSmartJsonProvider (Extension)
       -> net.minidev.json.parser.JSONParser (Extension)
        -> ❌ net.minidev.json.parser.JSONParserReader (Vulnerable Component)

Vulnerability Details

Json-smart is a performance focused, JSON processor lib.

When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.

It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Publish Date: 2023-03-13

URL: CVE-2023-1370

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 4 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/

Release Date: 2023-03-13

Fix Resolution: net.minidev:json-smart:2.4.9

CVE-2024-38286

Vulnerable Library - tomcat-embed-core-10.1.5.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.5/tomcat-embed-core-10.1.5.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.5/21417d3ef8189e2af05aae0a765ad9204d7211b5/tomcat-embed-core-10.1.5.jar

Dependency Hierarchy:

• spring-boot-dependencies-3.0.4.pom (Root Library)
  • ❌ tomcat-embed-core-10.1.5.jar (Vulnerable Library)

Found in HEAD commit: 066205be5f348da0c817e7584705320547996986

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.samples.petclinic.owner.OwnerController (Application)
  -> org.springframework.validation.BindingResult (Extension)
   -> org.springframework.validation.beanvalidation.SpringValidatorAdapter$ViolationFieldError (Extension)
    -> org.apache.catalina.core.ApplicationContext (Extension)
    ...
      -> org.apache.coyote.http11.Http11Nio2Protocol (Extension)
       -> org.apache.tomcat.util.net.SecureNio2Channel (Extension)
        -> ❌ org.apache.tomcat.util.net.SecureNio2Channel$FutureRead (Vulnerable Component)

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat, leading to Denial of Service (DoS).

Publish Date: 2024-11-07

URL: CVE-2024-38286

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 4 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: N/A
• Impact Metrics:
  • Confidentiality Impact: N/A
  • Integrity Impact: N/A
  • Availability Impact: N/A

For more information on CVSS4 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2024/q3/264

Release Date: 2024-11-07

Fix Resolution: org.apache.tomcat:tomcat-coyote:9.0.90,10.1.25,11.0.0-M21, org.apache.tomcat.embed:tomcat-embed-core:9.0.90,10.1.25,11.0.0-M21