spring-boot-starter-websocket-3.3.0.jar: 13 vulnerabilities (highest severity is: 9.8) #184
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - tomcat-embed-core-10.1.24.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
Publish Date: 2024-12-20
URL: CVE-2024-56337
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-20
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - tomcat-embed-core-10.1.24.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52316
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-11-18
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - tomcat-embed-core-10.1.24.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Mend Note: The fix for CVE-2024-50379 was found to be incomplete - users should refer to the follow-up CVE-2024-56337 which fully addresses the issue.
Publish Date: 2024-12-17
URL: CVE-2024-50379
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - tomcat-embed-core-10.1.24.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat, leading to Denial of Service (DoS).
Publish Date: 2024-11-07
URL: CVE-2024-38286
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2024/q3/264
Release Date: 2024-11-07
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.25
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-webmvc-6.1.8.jar
Spring Web MVC
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
This is similar to CVE-2024-38816, but with different input.
Publish Date: 2024-12-19
URL: CVE-2024-38819
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38819
Release Date: 2024-06-20
Fix Resolution (org.springframework:spring-webmvc): 6.1.14
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-webmvc-6.1.8.jar
Spring Web MVC
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:
However, malicious requests are blocked and rejected when any of the following is true:
Publish Date: 2024-09-13
URL: CVE-2024-38816
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38816
Release Date: 2024-09-13
Fix Resolution (org.springframework:spring-webmvc): 6.1.13
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - tomcat-embed-core-10.1.24.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Publish Date: 2024-07-03
URL: CVE-2024-34750
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l
Release Date: 2024-07-03
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.25
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - logback-classic-1.5.6.jar, logback-core-1.5.6.jar
logback-classic-1.5.6.jar
logback-classic module
Library home page: http://www.qos.ch
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
logback-core-1.5.6.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto and including version 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Publish Date: 2024-12-19
URL: CVE-2024-12798
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pr98-23f8-jwxv
Release Date: 2024-12-19
Fix Resolution: ch.qos.logback:logback-core:1.5.13, ch.qos.logback:logback-classic:1.5.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - tomcat-embed-core-10.1.24.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests
could lead to request and/or response mix-up between users.
This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52317
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-11-18
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-webmvc-6.1.8.jar
Spring Web MVC
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Spring MVC controller methods with an @RequestBody byte[] method parameter are vulnerable to a DoS attack.
Publish Date: 2024-11-18
URL: CVE-2024-38828
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.1.8.jar
Spring Web
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.
Publish Date: 2024-09-27
URL: CVE-2024-38809
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38809
Release Date: 2024-09-27
Fix Resolution (org.springframework:spring-web): 6.1.12
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - logback-core-1.5.6.jar
logback-core module
Library home page: http://www.qos.ch
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to
forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in XML configuration files.
Publish Date: 2024-12-19
URL: CVE-2024-12801
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6v67-2wr5-gvf4
Release Date: 2024-12-19
Fix Resolution: ch.qos.logback:logback-core:1.5.13
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-context-6.1.8.jar
Spring Context
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /server/pom.xml
Path to vulnerable library: /server/pom.xml
Dependency Hierarchy:
Found in HEAD commit: bc9ca299e425a9da8235c437adf4f12b24988946
Found in base branch: main
Vulnerability Details
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Publish Date: 2024-10-18
URL: CVE-2024-38820
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38820
Release Date: 2024-10-18
Fix Resolution (org.springframework:spring-context): 6.1.14
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-websocket): 3.3.5
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: