spring-boot-starter-web-1.1.9.RELEASE.jar: 32 vulnerabilities (highest severity is: 9.8) reachable

[mend-for-github-com]

Vulnerable Library - spring-boot-starter-web-1.1.9.RELEASE.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.0.3.Final/hibernate-validator-5.0.3.Final.jar

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (spring-boot-starter-web version)	Remediation Possible**	Reachability
CVE-2023-1932	Medium	6.1	Not Defined	0.0%	hibernate-validator-5.0.3.Final.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-10693	Medium	5.3	Not Defined	0.1%	hibernate-validator-5.0.3.Final.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2014-3558	Medium	5.3	Not Defined	0.4%	hibernate-validator-5.0.3.Final.jar	Transitive	1.2.0.RELEASE	✅	Reachable
CVE-2018-8014	Critical	9.8	Not Defined	14.8%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2015-5211	Critical	9.6	Not Defined	0.1%	spring-webmvc-4.0.8.RELEASE.jar	Transitive	1.2.7.RELEASE	✅	Unreachable
CVE-2017-5648	Critical	9.1	Not Defined	0.9%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2016-0714	High	8.8	Not Defined	0.6%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2017-12617	High	8.1	High	97.299995%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2016-5388	High	8.1	Not Defined	96.3%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2015-5346	High	8.1	Not Defined	1.1%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2024-38819	High	7.5	Not Defined	0.0%	spring-webmvc-4.0.8.RELEASE.jar	Transitive	3.2.11	✅	Unreachable
CVE-2024-38816	High	7.5	Not Defined	0.1%	spring-webmvc-4.0.8.RELEASE.jar	Transitive	3.2.10	✅	Unreachable
CVE-2018-8034	High	7.5	Not Defined	0.5%	tomcat-embed-websocket-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2017-5664	High	7.5	Not Defined	1.0%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2017-5647	High	7.5	Not Defined	0.3%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2016-8745	High	7.5	Not Defined	1.5%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2016-6797	High	7.5	Not Defined	0.3%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2016-5007	High	7.5	Not Defined	0.3%	spring-webmvc-4.0.8.RELEASE.jar	Transitive	1.4.0.RELEASE	✅	Unreachable
CVE-2016-3092	High	7.5	Not Defined	30.000002%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2016-6816	High	7.1	Not Defined	0.8%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2016-0763	Medium	6.3	Not Defined	0.3%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2021-24122	Medium	5.9	Not Defined	0.3%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2018-1271	Medium	5.9	Not Defined	1.1%	spring-webmvc-4.0.8.RELEASE.jar	Transitive	1.5.11.RELEASE	✅	Unreachable
CVE-2016-0762	Medium	5.9	Not Defined	0.3%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2024-38828	Medium	5.3	Not Defined	0.0%	spring-webmvc-4.0.8.RELEASE.jar	Transitive	N/A*	❌	Unreachable
CVE-2016-6794	Medium	5.3	Not Defined	0.2%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2015-5345	Medium	5.3	Not Defined	0.6%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2020-1935	Medium	4.8	Not Defined	0.70000005%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2021-22096	Medium	4.3	Not Defined	0.1%	spring-webmvc-4.0.8.RELEASE.jar	Transitive	2.4.0	✅	Unreachable
CVE-2017-7674	Medium	4.3	Not Defined	0.3%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2016-0706	Medium	4.3	Not Defined	0.6%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable
CVE-2015-5174	Medium	4.3	Not Defined	0.3%	tomcat-embed-core-8.0.15.jar	Transitive	1.1.10.RELEASE	✅	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2023-1932

Vulnerable Library - hibernate-validator-5.0.3.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://validator.hibernate.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.0.3.Final/hibernate-validator-5.0.3.Final.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • ❌ hibernate-validator-5.0.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.dynatrace.cf.servicebroker.Application (Application)
  -> org.springframework.context.annotation.ComponentScan (Extension)
   -> org.springframework.context.annotation.AnnotationScopeMetadataResolver (Extension)
    -> org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator (Extension)
    ...
      -> org.hibernate.validator.internal.util.logging.Log (Extension)
       -> org.hibernate.validator.internal.metadata.descriptor.ConstraintDescriptorImpl (Extension)
        -> ❌ org.hibernate.validator.internal.metadata.core.ConstraintHelper (Vulnerable Component)

Vulnerability Details

A vulnerability was found in hibernate-validator version 6.1.2.Final, where the method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.

Publish Date: 2024-11-07

URL: CVE-2023-1932

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1809444

Release Date: 2024-11-07

Fix Resolution (org.hibernate:hibernate-validator): 6.2.0.CR1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-10693

Vulnerable Library - hibernate-validator-5.0.3.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://validator.hibernate.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.0.3.Final/hibernate-validator-5.0.3.Final.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • ❌ hibernate-validator-5.0.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.dynatrace.cf.servicebroker.Application (Application)
  -> org.springframework.boot.SpringApplication (Extension)
   -> org.springframework.context.support.AbstractApplicationContext (Extension)
    -> org.springframework.validation.beanvalidation.LocalValidatorFactoryBean (Extension)
    ...
      -> org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator (Extension)
       -> org.hibernate.validator.internal.engine.messageinterpolation.InterpolationTerm (Extension)
        -> ❌ org.hibernate.validator.internal.engine.messageinterpolation.FormatterWrapper (Vulnerable Component)

Vulnerability Details

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Publish Date: 2020-05-06

URL: CVE-2020-10693

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/

Release Date: 2020-05-06

Fix Resolution (org.hibernate:hibernate-validator): 6.0.0.Alpha1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2014-3558

Vulnerable Library - hibernate-validator-5.0.3.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://validator.hibernate.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.0.3.Final/hibernate-validator-5.0.3.Final.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • ❌ hibernate-validator-5.0.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.dynatrace.cf.servicebroker.Application (Application)
  -> org.springframework.context.annotation.ComponentScan (Extension)
   -> org.springframework.context.annotation.AnnotationScopeMetadataResolver (Extension)
    -> org.hibernate.validator.messageinterpolation.ResourceBundleMessageInterpolator (Extension)
    ...
      -> org.hibernate.validator.internal.util.logging.Log (Extension)
       -> org.hibernate.validator.internal.metadata.descriptor.ConstraintDescriptorImpl (Extension)
        -> ❌ org.hibernate.validator.internal.util.ReflectionHelper (Vulnerable Component)

Vulnerability Details

ReflectionHelper (org.hibernate.validator.util.ReflectionHelper) in Hibernate Validator 4.1.0 before 4.2.1, 4.3.x before 4.3.2, and 5.x before 5.1.2 allows attackers to bypass Java Security Manager (JSM) restrictions and execute restricted reflection calls via a crafted application.

Publish Date: 2014-09-30

URL: CVE-2014-3558

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.4%

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hibernate.atlassian.net/browse/HV-912

Release Date: 2014-09-30

Fix Resolution (org.hibernate:hibernate-validator): 5.1.2.Final

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.2.0.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-8014

Vulnerable Library - tomcat-embed-core-8.0.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.15/tomcat-embed-core-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-core-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Publish Date: 2018-05-16

URL: CVE-2018-8014

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 14.8%

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014

Release Date: 2018-05-16

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.53

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2015-5211

Vulnerable Library - spring-webmvc-4.0.8.RELEASE.jar

Spring Web MVC

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/4.0.8.RELEASE/spring-webmvc-4.0.8.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • ❌ spring-webmvc-4.0.8.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Publish Date: 2017-05-25

URL: CVE-2015-5211

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (9.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5211

Release Date: 2017-05-25

Fix Resolution (org.springframework:spring-webmvc): 4.1.8.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.2.7.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-5648

Vulnerable Library - tomcat-embed-core-8.0.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.15/tomcat-embed-core-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-core-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Publish Date: 2017-04-17

URL: CVE-2017-5648

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.9%

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648

Release Date: 2017-04-17

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.42

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-0714

Vulnerable Library - tomcat-embed-core-8.0.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.15/tomcat-embed-core-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-core-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

Publish Date: 2016-02-25

URL: CVE-2016-0714

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.6%

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714

Release Date: 2016-02-25

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-12617

Vulnerable Library - tomcat-embed-core-8.0.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.15/tomcat-embed-core-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-core-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Publish Date: 2017-10-03

URL: CVE-2017-12617

Threat Assessment

Exploit Maturity: High

EPSS: 97.299995%

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617

Release Date: 2017-10-03

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.47

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-5388

Vulnerable Library - tomcat-embed-core-8.0.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.15/tomcat-embed-core-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-core-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Publish Date: 2016-07-19

URL: CVE-2016-5388

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 96.3%

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388

Release Date: 2016-07-19

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2015-5346

Vulnerable Library - tomcat-embed-core-8.0.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.15/tomcat-embed-core-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-core-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

Publish Date: 2016-02-25

URL: CVE-2015-5346

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.1%

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346

Release Date: 2016-02-25

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.30

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-38819

Vulnerable Library - spring-webmvc-4.0.8.RELEASE.jar

Spring Web MVC

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/4.0.8.RELEASE/spring-webmvc-4.0.8.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • ❌ spring-webmvc-4.0.8.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

This is similar to CVE-2024-38816, but with different input.

Publish Date: 2024-12-19

URL: CVE-2024-38819

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38819

Release Date: 2024-12-19

Fix Resolution (org.springframework:spring-webmvc): 6.1.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-38816

Vulnerable Library - spring-webmvc-4.0.8.RELEASE.jar

Spring Web MVC

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/4.0.8.RELEASE/spring-webmvc-4.0.8.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • ❌ spring-webmvc-4.0.8.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Specifically, an application is vulnerable when both of the following are true:

• the web application uses RouterFunctions to serve static resources
• resource handling is explicitly configured with a FileSystemResource location

However, malicious requests are blocked and rejected when any of the following is true:

• the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use
• the application runs on Tomcat or Jetty

Publish Date: 2024-09-13

URL: CVE-2024-38816

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38816

Release Date: 2024-09-13

Fix Resolution (org.springframework:spring-webmvc): 6.1.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.10

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-8034

Vulnerable Library - tomcat-embed-websocket-8.0.15.jar

Core Tomcat implementation

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/8.0.15/tomcat-embed-websocket-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-websocket-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Publish Date: 2018-08-01

URL: CVE-2018-8034

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.5%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034

Release Date: 2018-08-01

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-websocket): 8.0.53

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-5664

Vulnerable Library - tomcat-embed-core-8.0.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.15/tomcat-embed-core-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-core-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Publish Date: 2017-06-06

URL: CVE-2017-5664

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664

Release Date: 2017-06-06

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.44

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-5647

Vulnerable Library - tomcat-embed-core-8.0.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.15/tomcat-embed-core-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-core-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Publish Date: 2017-04-17

URL: CVE-2017-5647

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.3%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647

Release Date: 2017-04-17

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.43

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-8745

Vulnerable Library - tomcat-embed-core-8.0.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.0.15/tomcat-embed-core-8.0.15.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.1.9.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.1.9.RELEASE.jar
    • ❌ tomcat-embed-core-8.0.15.jar (Vulnerable Library)

Found in HEAD commit: 075c652078643180fb05751cdbc793df371d6844

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

Publish Date: 2017-08-10

URL: CVE-2016-8745

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 1.5%

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745

Release Date: 2017-08-10

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.41

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.1.10.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.