Vulnerabilities

 8 via 43 paths

Dependencies

 79

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 8
  • 2
Severity
  • 1
  • 2
  • 6
  • 1
Status
  • 10
  • 0
  • 0

critical severity
new

HTTP Request Smuggling

  • Vulnerable module: org.eclipse.jetty:jetty-http
  • Introduced through: org.eclipse.jetty:jetty-servlet@11.0.26 and org.eclipse.jetty:jetty-webapp@11.0.26

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.eclipse.jetty:jetty-servlet@11.0.26 org.eclipse.jetty:jetty-security@11.0.26 org.eclipse.jetty:jetty-server@11.0.26 org.eclipse.jetty:jetty-http@11.0.26
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.eclipse.jetty:jetty-webapp@11.0.26 org.eclipse.jetty:jetty-servlet@11.0.26 org.eclipse.jetty:jetty-security@11.0.26 org.eclipse.jetty:jetty-server@11.0.26 org.eclipse.jetty:jetty-http@11.0.26

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to HTTP Request Smuggling in the HTTP/1.1 parser (HttpParser.java). An attacker can inject additional HTTP requests with chunked transfer encoding with improperly terminated quoted strings.

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 12.0.33, 12.1.7 or higher.

References

HTTP Request Smuggling vulnerability report

high severity

Uncontrolled Recursion

  • Vulnerable module: commons-lang:commons-lang
  • Introduced through: org.constretto:constretto-core@2.2.3 and org.constretto:constretto-spring@2.2.3

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.constretto:constretto-core@2.2.3 org.constretto:constretto-api@2.2.3 commons-lang:commons-lang@2.6
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.constretto:constretto-spring@2.2.3 org.constretto:constretto-api@2.2.3 commons-lang:commons-lang@2.6
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.constretto:constretto-spring@2.2.3 org.constretto:constretto-core@2.2.3 org.constretto:constretto-api@2.2.3 commons-lang:commons-lang@2.6

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

There is no fixed version for commons-lang:commons-lang.

References

Uncontrolled Recursion vulnerability report

high severity
new

Incomplete Cleanup

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.springframework:spring-web@6.2.17 and org.springframework:spring-webmvc@6.2.17

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-web@6.2.17
    Remediation: Upgrade to org.springframework:spring-web@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-web@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Incomplete Cleanup via multipart request handling in WebFlux. An attacker can exhaust disk space by sending multipart requests with large parts that trigger creation of temporary files, which under certain conditions are not deleted after the request completes, leading to accumulation of temp files and denial of service.

Remediation

Upgrade org.springframework:spring-web to version 6.2.18, 7.0.7 or higher.

References

Incomplete Cleanup vulnerability report

medium severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.springframework:spring-core
  • Introduced through: org.springframework:spring-beans@6.2.17, org.springframework:spring-context@6.2.17 and others

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-beans@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-context@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-context@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-jdbc@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-jdbc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-web@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-web@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-context@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-context@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-jdbc@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-jdbc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-web@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-web@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-context@6.2.17 org.springframework:spring-aop@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-context@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-aop@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-context@6.2.17 org.springframework:spring-expression@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-context@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-expression@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.2.17 org.springframework:spring-core@6.2.17
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-context@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-jdbc@6.2.17 org.springframework:spring-tx@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-jdbc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-web@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-context@6.2.17 org.springframework:spring-aop@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-context@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-aop@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-context@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-jdbc@6.2.17 org.springframework:spring-tx@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-jdbc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-web@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.2.17 org.springframework:spring-aop@6.2.17 org.springframework:spring-core@6.2.17
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-context@6.2.17 org.springframework:spring-aop@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.2.17 org.springframework:spring-expression@6.2.17 org.springframework:spring-core@6.2.17
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-context@6.2.17 org.springframework:spring-expression@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.glassfish.hk2:spring-bridge@3.1.1 org.springframework:spring-context@6.2.17 org.springframework:spring-aop@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17 org.springframework:spring-context@6.2.17 org.springframework:spring-aop@6.2.17 org.springframework:spring-beans@6.2.17 org.springframework:spring-core@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via static resource resolution. An attacker can cause denial of service by sending crafted requests that are slow to resolve when accessing file-system-backed static resources, causing HTTP connections to remain occupied and exhausting server resources.

Note: This is only exploitable if all the following are true:

  1. The application uses Spring MVC or Spring WebFlux.

  2. Static resources are served from the file system.

  3. The application is running on Windows.

Remediation

Upgrade org.springframework:spring-core to version 6.2.18, 7.0.7 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: org.eclipse.jetty:jetty-http
  • Introduced through: org.eclipse.jetty:jetty-servlet@11.0.26 and org.eclipse.jetty:jetty-webapp@11.0.26

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.eclipse.jetty:jetty-servlet@11.0.26 org.eclipse.jetty:jetty-security@11.0.26 org.eclipse.jetty:jetty-server@11.0.26 org.eclipse.jetty:jetty-http@11.0.26
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.eclipse.jetty:jetty-webapp@11.0.26 org.eclipse.jetty:jetty-servlet@11.0.26 org.eclipse.jetty:jetty-security@11.0.26 org.eclipse.jetty:jetty-server@11.0.26 org.eclipse.jetty:jetty-http@11.0.26

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.

Notes:

  1. This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the HttpURI class used directly;

  2. The Jetty usage of the HttpURI class is not vulnerable.

Workaround

This vulnerability can be mitigated by not passing decoded user data as encoded URIs to any URI class/method, including HttpURI.

PoC

http://browser.check &@vulndetector.com/
http://browser.check #@vulndetector.com/
http://browser.check?@vulndetector.com/
http://browser.check#@vulndetector.com/
http://vulndetector.com\\/

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.57.v20241219, 12.0.12 or higher.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: org.eclipse.jetty:jetty-servlet@11.0.26 and org.eclipse.jetty:jetty-webapp@11.0.26

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.eclipse.jetty:jetty-servlet@11.0.26 org.eclipse.jetty:jetty-security@11.0.26 org.eclipse.jetty:jetty-server@11.0.26
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.eclipse.jetty:jetty-webapp@11.0.26 org.eclipse.jetty:jetty-servlet@11.0.26 org.eclipse.jetty:jetty-security@11.0.26 org.eclipse.jetty:jetty-server@11.0.26

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.

Notes:

  1. This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the HttpURI class used directly;

  2. The Jetty usage of the HttpURI class is not vulnerable.

Workaround

This vulnerability can be mitigated by not passing decoded user data as encoded URIs to any URI class/method, including HttpURI.

PoC

http://browser.check &@vulndetector.com/
http://browser.check #@vulndetector.com/
http://browser.check?@vulndetector.com/
http://browser.check#@vulndetector.com/
http://vulndetector.com\\/

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.4.57.v20241219, 12.0.12 or higher.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Interpretation Conflict

  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: org.eclipse.jetty:jetty-servlet@11.0.26 and org.eclipse.jetty:jetty-webapp@11.0.26

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.eclipse.jetty:jetty-servlet@11.0.26 org.eclipse.jetty:jetty-security@11.0.26 org.eclipse.jetty:jetty-server@11.0.26
  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.eclipse.jetty:jetty-webapp@11.0.26 org.eclipse.jetty:jetty-servlet@11.0.26 org.eclipse.jetty:jetty-security@11.0.26 org.eclipse.jetty:jetty-server@11.0.26

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Interpretation Conflict due to inconsistent handling of invalid or unusual URIs in the parse() function on HttpURI.java‎. An attacker can bypass security controls or access restricted resources by crafting specially formatted URIs that are interpreted differently by various system components.

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 12.0.31, 12.1.5 or higher.

References

Interpretation Conflict vulnerability report

medium severity

EPL-1.0 license

  • Module: org.aspectj:aspectjweaver
  • Introduced through: org.constretto:constretto-spring@2.2.3

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.constretto:constretto-spring@2.2.3 org.aspectj:aspectjweaver@1.7.4

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity

LGPL-2.1 license

  • Module: org.mariadb.jdbc:mariadb-java-client
  • Introduced through: org.mariadb.jdbc:mariadb-java-client@3.5.7

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.mariadb.jdbc:mariadb-java-client@3.5.7

LGPL-2.1 license

LGPL-2.1 license vulnerability report

low severity
new

HTTP Request Smuggling

  • Vulnerable module: org.springframework:spring-webmvc
  • Introduced through: org.springframework:spring-webmvc@6.2.17

Detailed paths

  • Introduced through: Cantara/Whydah-StatisticsService@Cantara/Whydah-StatisticsService org.springframework:spring-webmvc@6.2.17
    Remediation: Upgrade to org.springframework:spring-webmvc@6.2.18.

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the static resource resolution and caching mechanism. An attacker can poison the resource cache by sending crafted requests that cause resources to be cached with incorrect encodings when resource chain caching and encoded resource resolution are enabled. This can lead to denial of service by breaking front-end resource loading for subsequent clients.

Note: This is only exploitable if all the following is true:

  1. The application is configuring the resource chain support with caching enabled.

  2. The application adds support for encoded resource resolution.

  3. The resource cache must be empty when the attacker has access to the application.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.2.18, 7.0.7 or higher.

References

HTTP Request Smuggling vulnerability report