Vulnerabilities

 53 via 273 paths

Dependencies

 61

Source

 GitHub

Commit

 50cb66f0

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 53
  • 3
Severity
  • 4
  • 25
  • 21
  • 6
Status
  • 56
  • 0
  • 0

critical severity

Time-of-check Time-of-use (TOCTOU) Race Condition

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.7.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.7.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

Note:

The default readonly initialization parameter value of true is not vulnerable.

This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

  1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

  2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

  3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

References

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability report

critical severity

Time-of-check Time-of-use (TOCTOU) Race Condition

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.7.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.7.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

  1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

  2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

  3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

References

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability report

critical severity

Uncaught Exception

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Uncaught Exception due to the custom Jakarta Authentication ServerAuthContext component which may throw an exception during the authentication process without setting an HTTP status to indicate failure. An attacker can gain unauthorized access by exploiting this unchecked error condition.

Note:

This is only exploitable if Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component that behaves in this way. According to the maintainers, no such cases are known.

PoC

import requests

# Target server configuration
TARGET_URL = "http://example.com/login"  # Replace with your target's authentication URL
TEST_HEADERS = {
    "Content-Type": "application/json"
}
TEST_PAYLOAD = {
    "username": "test_user",  # Sample username
    "password": "invalid_password"  # Invalid password for testing
}

def check_cve_2024_52316(target_url):
    """
    Test for CVE-2024-52316 vulnerability by sending crafted authentication requests.

    Args:
        target_url (str): The URL of the authentication endpoint to test.
    """
    try:
        print(f"[*] Sending test request to {target_url}")
        # Send a POST request with the test payload
        response = requests.post(target_url, json=TEST_PAYLOAD, headers=TEST_HEADERS, timeout=5)
        
        # Analyze the server's response
        if response.status_code in [401, 403]:
            print(f"[SAFE] The server returned an expected HTTP status code: {response.status_code}")
        elif response.status_code == 200:
            print(f"[VULNERABLE] Potential CVE-2024-52316 detected! Server returned status code: {response.status_code}")
        else:
            print(f"[INFO] Unexpected HTTP status code: {response.status_code}")
            print("Response content:", response.text)
    except requests.exceptions.RequestException as e:
        print(f"[ERROR] Failed to connect to the target: {e}")

if __name__ == "__main__":
    print("[START] CVE-2024-52316 Detection Script")
    check_cve_2024_52316(TARGET_URL)

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.96, 10.1.31, 11.0.0 or higher.

References

Uncaught Exception vulnerability report

critical severity

Improper Access Control

  • Vulnerable module: org.springframework:spring-webmvc
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.5.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0.

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Improper Access Control when using an un-prefixed double wildcard pattern ("**") in the Spring Security configuration with the mvcRequestMatcher. This configuration creates a pattern-matching discrepancy between Spring Security and Spring MVC, potentially allowing unauthorized access.

Note: The Spring security team have published information about an existing PoC, but have not shared the PoC itself publicly, therefore we don't currently have the ability to verify it.

Remediation

Upgrade org.springframework:spring-webmvc to version 5.3.26, 6.0.7 or higher.

References

Improper Access Control vulnerability report

high severity

Uncontrolled Recursion

  • Vulnerable module: org.apache.commons:commons-lang3
  • Introduced through: org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 io.swagger.core.v3:swagger-core-jakarta@2.2.9 org.apache.commons:commons-lang3@3.12.0
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.10.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.8.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.8.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the unwrap() function in SecureNio2Channel class, during a TLS handshake. Under certain configurations using TLS 1.3, an attacker can trigger an OutOfMemoryError.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.5.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.5.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Improper Cleanup on Thrown Exception

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.11.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Cleanup on Thrown Exception when handling failed HTTP/2 requests with certain invalid HTTP priority headers. An attacker can trigger an OutOfMemoryException by sending a large number of malicious requests.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.104, 10.1.40, 11.0.6 or higher.

References

Improper Cleanup on Thrown Exception vulnerability report

high severity

Improper Resource Shutdown or Release

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.108, 10.1.44, 11.0.10 or higher.

References

Improper Resource Shutdown or Release vulnerability report

high severity

Insufficient Session Expiration

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

References

Insufficient Session Expiration vulnerability report

high severity

Integer Overflow or Wraparound

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.8.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.8.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

References

Integer Overflow or Wraparound vulnerability report

high severity

Incorrect Authorization

  • Vulnerable module: org.springframework:spring-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.14.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Incorrect Authorization via the AnnotationsScanner and AnnotatedMethod class. An attacker can gain unauthorized access to sensitive information by exploiting improper resolution of annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics.

Note: This is only exploitable if security annotations are used on methods in generic superclasses or generic interfaces and the @EnableMethodSecurity feature is enabled.

Remediation

Upgrade org.springframework:spring-core to version 6.2.11 or higher.

References

Incorrect Authorization vulnerability report

high severity

Path Traversal

  • Vulnerable module: org.springframework:spring-webmvc
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Path Traversal via the WebMvc.fn and WebFlux.fn frameworks. An attacker can access any file on the file system that is also accessible to the process in which the Spring application is running by crafting malicious HTTP requests.

Note:

This is only exploitable if the web application uses RouterFunctions to serve static resources and resource handling is explicitly configured with a FileSystemResource location.

Workaround

This vulnerability can be mitigated by using the Spring Security HTTP Firewall or running the application on Tomcat or Jetty.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.13 or higher.

References

Path Traversal vulnerability report

high severity

Path Traversal

  • Vulnerable module: org.springframework:spring-webmvc
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Path Traversal through the functional web frameworks WebMvc.fn or WebFlux.fn. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible.

Note: This is similar to CVE-2024-38816, but with different input.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.14 or higher.

References

Path Traversal vulnerability report

high severity

Improper Input Validation

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.6.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.6.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.

References

Improper Input Validation vulnerability report

high severity

Relative Path Traversal

  • Vulnerable module: org.springframework:spring-beans
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.

Overview

org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.

Affected versions of this package are vulnerable to Relative Path Traversal when deployed on non-compliant Servlet containers. An unauthenticated attacker could gain access to files and directories outside the intended web root.

Notes:

  1. This is only exploitable if the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences and the application serves static resources with Spring resource handling.

  2. Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.

  3. This vulnerability was also fixed in the commercial versions 6.1.22 and 5.3.44.

Remediation

Upgrade org.springframework:spring-beans to version 6.2.10 or higher.

References

Relative Path Traversal vulnerability report

high severity

Path Equivalence

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.9.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Path Equivalence in the doPut() function in DefaultServlet.java, which insecurely replaces path separators with .s.

If the Default Servlet is configured with writes enabled - which it is not by default - a user can exploit Tomcat's partial PUT functionality to achieve code execution via deserialization. The target URL containing sensitive uploaded files must be a sub-directory of a target URL for public uploads, and the malicious user must know the names of the target sensitive files, which are also uploaded using a partial PUT. If both attacker and target application are using the default storage location and it contains a library that deserializes untrusted code, the attacker can trigger the execution of malicious code.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.99, 10.1.35, 11.0.3 or higher.

References

Path Equivalence vulnerability report

high severity

Relative Path Traversal

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as /WEB-INF/ and /META-INF/ by manipulating the request URI. If PUT requests are also enabled then malicious files could be uploaded leading to remote code execution.

Note:

  1. Older, EOL versions may also be affected.
  2. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.109, 10.1.45, 11.0.11 or higher.

References

Relative Path Traversal vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Untrusted Search Path

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Untrusted Search Path via the icacls.exe call during Windows installation, when a full path is not specified. An attacker can execute arbitrary code with elevated privileges by placing a malicious executable in a directory that is searched before the intended system directory.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

References

Untrusted Search Path vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-websocket
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) when a WebSocket client can keep a WebSocket connection open which is leading to increased resource consumption.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-websocket to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: ch.qos.logback:logback-classic
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.12, 1.4.12 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: ch.qos.logback:logback-classic
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.

Note:

Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.14, 1.4.14 or higher.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.12, 1.4.12 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.

Note:

Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.14, 1.4.14 or higher.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

high severity

Open Redirect

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.4.0.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.

Remediation

Upgrade org.springframework:spring-web to version 5.3.32, 6.0.17, 6.1.4 or higher.

References

Open Redirect vulnerability report

high severity

Open Redirect

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.10.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.5.0.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22243, but with different input.

Remediation

Upgrade org.springframework:spring-web to version 5.3.33, 6.0.18, 6.1.5 or higher.

References

Open Redirect vulnerability report

medium severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: commons-io:commons-io
  • Introduced through: org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 io.swagger.core.v3:swagger-core-jakarta@2.2.9 commons-io:commons-io@2.11.0
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0.

Overview

commons-io:commons-io is a The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') through the XmlStreamReader class. An attacker can cause the application to consume excessive CPU resources by sending specially crafted XML content.

Remediation

Upgrade commons-io:commons-io to version 2.14.0 or higher.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

medium severity

Session Fixation

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Session Fixation via the rewrite valve if enabled for a web application. An attacker can gain unauthorized access to another user's session by crafting a request that allows session fixation.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

References

Session Fixation vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.9.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the If-Match or If-None-Match request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request.

Workaround

Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.springframework:spring-web to version 5.3.38, 6.0.23, 6.1.12 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Arbitrary Code Execution

  • Vulnerable module: org.yaml:snakeyaml
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.yaml:snakeyaml@1.33
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.yaml:snakeyaml@1.33
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 io.swagger.core.v3:swagger-core-jakarta@2.2.9 org.yaml:snakeyaml@1.33
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 io.swagger.core.v3:swagger-core-jakarta@2.2.9 com.fasterxml.jackson.dataformat:jackson-dataformat-yaml@2.14.2 org.yaml:snakeyaml@1.33
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.2.0.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the Constructor class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the SafeConstructor class.

The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation.

Remediation

Upgrade org.yaml:snakeyaml to version 2.0 or higher.

References

Arbitrary Code Execution vulnerability report

medium severity

Access Restriction Bypass

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.4.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.4.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

The vulnerability is limited to the ROOT (default) web application.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.

References

Access Restriction Bypass vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.springframework:spring-expression
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.6.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.6.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.2.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.1.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.2.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.1.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.1.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.1.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when a user provides a very long SpEL expression.

Remediation

Upgrade org.springframework:spring-expression to version 5.2.24.RELEASE, 5.3.27, 6.0.8 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Authentication Bypass Using an Alternate Path or Channel

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

References

Authentication Bypass Using an Alternate Path or Channel vulnerability report

medium severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.12.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.12.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the pathInfo component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the pathInfo component by exploiting this vulnerability on a case insensitive file system.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.105, 10.1.41, 11.0.7 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

medium severity

Improper Neutralization

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.11.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Neutralization in the RewriteValve class, which handles rewrite rules. If rewrite rules are configured to enforce security constraints, those security constraints can be bypassed in some cases by sending a malicious request involving ; or ? characters.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.104, 10.1.40, 11.0.6 or higher.

References

Improper Neutralization vulnerability report

medium severity

Improper Resource Shutdown or Release

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.11.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to the delayed cleaning of multipart upload temporary files. An attacker can cause a denial-of-service by sending crafted requests that create temporary copies of uploaded parts faster than the garbage collector clears them, leading to resource exhaustion.

Note: Successful exploitation depends on the JVM settings, the application memory usage, and application load.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.110, 10.1.47, 11.0.12 or higher.

References

Improper Resource Shutdown or Release vulnerability report

medium severity

Improper Neutralization of Special Elements

  • Vulnerable module: ch.qos.logback:logback-classic
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements via the JaninoEventEvaluator extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.3.15, 1.5.13 or higher.

References

Improper Neutralization of Special Elements vulnerability report

medium severity

External Initialization of Trusted Variables or Data Stores

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.11.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the logback.xml configuration file when both the Janino library and Spring Framework are present on the class path. An attacker can execute arbitrary code by compromising an existing configuration file or injecting a malicious environment variable before program execution. This is only exploitable if the attacker has write access to a configuration file or can set a malicious environment variable.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.5.19 or higher.

References

External Initialization of Trusted Variables or Data Stores vulnerability report

medium severity

Improper Neutralization of Special Elements

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements via the JaninoEventEvaluator extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.3.15, 1.5.13 or higher.

References

Improper Neutralization of Special Elements vulnerability report

medium severity

Open Redirect

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.6.0.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder is used to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

Remediation

Upgrade org.springframework:spring-web to version 5.3.34, 6.0.19, 6.1.6 or higher.

References

Open Redirect vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.5.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.5.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

References

Improper Input Validation vulnerability report

medium severity

Incomplete Cleanup

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.5.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-tomcat@3.1.1 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.10 org.apache.tomcat.embed:tomcat-embed-core@10.1.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.5.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

References

Incomplete Cleanup vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.springframework:spring-expression
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.5.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.5.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.1.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.1.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.1.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.1.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via a crafted SpEL expression.

Remediation

Upgrade org.springframework:spring-expression to version 5.2.23.RELEASE, 5.3.26, 6.0.7 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.13.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.13.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.6.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.3.0.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) when providing a specially crafted HTTP request.

To be vulnerable, these conditions must all be met (which is usually the case for applications dependent on org.springframework.boot:spring-boot-actuator):

  • The affected application uses Spring MVC or Spring WebFlux.

  • io.micrometer:micrometer-core is on the classpath.

  • An ObservationRegistry is configured in the application to record observations.

Workaround

This vulnerability can be avoided by disabling web observations: management.metrics.enable.http.server.requests=false

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.springframework:spring-web to version 6.0.14 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-classic
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

EPL-1.0 license

  • Module: junit:junit
  • Introduced through: com.google.googlejavaformat:google-java-format@1.15.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 com.google.googlejavaformat:google-java-format@1.15.0 junit:junit@4.13.2
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 com.google.googlejavaformat:google-java-format@1.15.0 com.google.guava:guava-testlib@31.0.1-jre junit:junit@4.13.2
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 com.google.googlejavaformat:google-java-format@1.15.0 com.google.truth:truth@1.1.3 junit:junit@4.13.2

EPL-1.0 license

EPL-1.0 license vulnerability report

low severity

Creation of Temporary File in Directory with Insecure Permissions

  • Vulnerable module: com.google.guava:guava
  • Introduced through: com.google.googlejavaformat:google-java-format@1.15.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 com.google.googlejavaformat:google-java-format@1.15.0 com.google.guava:guava@31.0.1-jre
    Remediation: Upgrade to com.google.googlejavaformat:google-java-format@1.18.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 com.google.googlejavaformat:google-java-format@1.15.0 com.google.guava:guava-testlib@31.0.1-jre com.google.guava:guava@31.0.1-jre
    Remediation: Upgrade to com.google.googlejavaformat:google-java-format@1.15.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 com.google.googlejavaformat:google-java-format@1.15.0 com.google.truth:truth@1.1.3 com.google.guava:guava@31.0.1-jre

Overview

com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the use of Java's default temporary directory for file creation in FileBackedOutputStream. Other users and apps on the machine with access to the default Java temporary directory can access the files created by this class. This more fully addresses the underlying issue described in CVE-2020-8908, by deprecating the permissive temp file creation behavior.

NOTE: Even though the security vulnerability is fixed in version 32.0.0, the maintainers recommend using version 32.0.1, as version 32.0.0 breaks some functionality under Windows.

Remediation

Upgrade com.google.guava:guava to version 32.0.0-android, 32.0.0-jre or higher.

References

Creation of Temporary File in Directory with Insecure Permissions vulnerability report

low severity

Server-side Request Forgery (SSRF)

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-starter-logging@3.1.1 ch.qos.logback:logback-classic@1.4.8 ch.qos.logback:logback-core@1.4.8
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the SaxEventRecorder process. An attacker can forge requests by compromising logback configuration files in XML.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.3.15, 1.5.13 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-context
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.

Overview

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-context to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-expression@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springdoc:springdoc-openapi-starter-common@2.1.0 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework.boot:spring-boot-starter@3.1.1 org.springframework.boot:spring-boot-autoconfigure@3.1.1 org.springframework.boot:spring-boot@3.1.1 org.springframework:spring-context@6.0.4 org.springframework:spring-aop@6.0.4 org.springframework:spring-beans@6.0.4 org.springframework:spring-core@6.0.10
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-core to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework.boot:spring-boot-starter-json@3.1.1 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4 org.springframework:spring-web@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-web to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-webmvc
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.0.2 and org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0

Detailed paths

  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springframework.boot:spring-boot-starter-web@3.0.2 org.springframework:spring-webmvc@6.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
  • Introduced through: apavlidi/WebCrawler@apavlidi/WebCrawler#50cb66f074da933d3d3802d3d3aa2f20799bb623 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.1.0 org.springdoc:springdoc-openapi-starter-webmvc-api@2.1.0 org.springframework:spring-webmvc@6.0.4
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.7.0.

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report