Vulnerabilities

13 via 67 paths

Dependencies

77

Source

GitHub

Find, fix and prevent vulnerabilities in your code.

Severity
  • 8
  • 5
Status
  • 13
  • 0
  • 0

high severity
new

Improper Authentication

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0 and org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authentication in the EncryptionInterceptor process of the cluster component. An attacker can gain unauthorized access or perform unauthorized actions by replaying previously captured authentication data.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.119, 10.1.56, 11.0.23 or higher.

References

high severity
new

Detection of Error Condition Without Action

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0 and org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Detection of Error Condition Without Action due to improper handling of invalid certificate revocation list (CRL) configurations in the FFM connector. An attacker can bypass intended certificate validation by supplying an invalid CRL configuration.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.119, 10.1.56, 11.0.23 or higher.

References

high severity

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.cloud:spring-cloud-config-client@5.0.4 org.springframework.cloud:spring-cloud-starter@5.0.2 org.bouncycastle:bcprov-jdk18on@1.81.1

Overview

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the generateCTR process in G3413CTRBlockCipher. An attacker can recover relationships between encrypted plaintext blocks by driving the cipher past its counter range and causing the counter to wrap, which makes the stream repeat and produces identical ciphertext for different blocks. This breaks the confidentiality of data protected with G3413CTRBlockCipher and can expose plaintext patterns or allow plaintext recovery when the same key and IV are reused across enough blocks.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.84 or higher.

References

high severity

Timing Attack

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.cloud:spring-cloud-config-client@5.0.4 org.springframework.cloud:spring-cloud-starter@5.0.2 org.bouncycastle:bcprov-jdk18on@1.81.1

Overview

Affected versions of this package are vulnerable to Timing Attack through the sample and sample_matrix functions in FrodoEngine.java. An attacker can recover information about the sampled noise values by observing how long Frodo key generation or encapsulation takes when it processes attacker-influenced inputs. The variable-time comparison and sign handling in the error sampler leak the distribution of the generated samples, weakening the secrecy of the private Frodo noise and enabling key-recovery attacks against affected deployments.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.84 or higher.

References

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.httpcomponents.core5:httpcore5-h2
  • Introduced through: org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.apache.httpcomponents.client5:httpclient5@5.5.2 org.apache.httpcomponents.core5:httpcore5-h2@5.3.6
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.cloud:spring-cloud-config-client@5.0.4 org.apache.httpcomponents.client5:httpclient5@5.5.2 org.apache.httpcomponents.core5:httpcore5-h2@5.3.6

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits in the HPackDecoder process. An attacker can exhaust system memory by sending oversized compressed header blocks before the HTTP/2 SETTINGS acknowledgement applies the configured header list size limit.

Remediation

Upgrade org.apache.httpcomponents.core5:httpcore5-h2 to version 5.4.3, 5.5-beta2 or higher.

References

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.httpcomponents.core5:httpcore5-h2
  • Introduced through: org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.apache.httpcomponents.client5:httpclient5@5.5.2 org.apache.httpcomponents.core5:httpcore5-h2@5.3.6
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.cloud:spring-cloud-config-client@5.0.4 org.apache.httpcomponents.client5:httpclient5@5.5.2 org.apache.httpcomponents.core5:httpcore5-h2@5.3.6

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the HTTP/1.1 message parsing process. An attacker can exhaust system memory by sending messages with an excessive number of headers or excessively long headers.

Remediation

Upgrade org.apache.httpcomponents.core5:httpcore5-h2 to version 5.4.2, 5.5-beta1 or higher.

References

high severity
new

Incorrect Authorization

  • Vulnerable module: tools.jackson.core:jackson-databind
  • Introduced through: org.springframework.cloud:spring-cloud-config-server@5.0.4 and org.springframework.boot:spring-boot-starter-web@4.1.0

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.cloud:spring-cloud-config-client@5.0.4 tools.jackson.core:jackson-databind@3.1.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 tools.jackson.dataformat:jackson-dataformat-yaml@3.1.4 tools.jackson.core:jackson-databind@3.1.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-jackson@4.1.0 org.springframework.boot:spring-boot-jackson@4.1.0 tools.jackson.core:jackson-databind@3.1.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-jackson@4.1.0 org.springframework.boot:spring-boot-jackson@4.1.0 tools.jackson.core:jackson-databind@3.1.4

Overview

Affected versions of this package are vulnerable to Incorrect Authorization in the deserialization process when handling properties annotated with both @JsonView and @JsonUnwrapped. An attacker can modify data that should be restricted to a higher-privileged view by supplying crafted JSON input.

Remediation

Upgrade tools.jackson.core:jackson-databind to version 3.1.5, 3.2.1 or higher.

References

high severity
new

Expression Injection

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.1.0, org.springframework.boot:spring-boot-starter-web@4.1.0 and others

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-actuator@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 ch.qos.logback:logback-classic@1.5.34 ch.qos.logback:logback-core@1.5.34
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-actuator@4.1.0 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 ch.qos.logback:logback-classic@1.5.34 ch.qos.logback:logback-core@1.5.34
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-jackson@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 ch.qos.logback:logback-classic@1.5.34 ch.qos.logback:logback-core@1.5.34
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 ch.qos.logback:logback-classic@1.5.34 ch.qos.logback:logback-core@1.5.34
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-validation@4.0.7 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 ch.qos.logback:logback-classic@1.5.34 ch.qos.logback:logback-core@1.5.34
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-jackson@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 ch.qos.logback:logback-classic@1.5.34 ch.qos.logback:logback-core@1.5.34
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 ch.qos.logback:logback-classic@1.5.34 ch.qos.logback:logback-core@1.5.34
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.cloud:spring-cloud-config-client@5.0.4 org.springframework.cloud:spring-cloud-starter@5.0.2 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 ch.qos.logback:logback-classic@1.5.34 ch.qos.logback:logback-core@1.5.34

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Expression Injection in the Janino-evaluated condition attribute of <if> configuration elements, handled by IfModelHandler, whose denylist blocked only the literal new operator. A user who can modify the logback configuration can execute arbitrary code by writing an <if> condition that evades that denylist, either through references it did not cover such as Runtime or springframework, or through Unicode escape sequences like \u that reconstruct the blocked new operator. Exploitation requires write access to the logback configuration and the use of conditional <if> processing with Janino present on the classpath.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.5.36 or higher.

References

medium severity
new

Always-Incorrect Control Flow Implementation

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0 and org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to incorrect control flow in the RewriteValve process. An attacker can bypass intended rewrite rules by crafting requests that exploit the improper evaluation of OR chains in conditions.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.119, 10.1.56, 11.0.23 or higher.

References

medium severity

LDAP Injection

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.cloud:spring-cloud-config-client@5.0.4 org.springframework.cloud:spring-cloud-starter@5.0.2 org.bouncycastle:bcprov-jdk18on@1.81.1

Overview

Affected versions of this package are vulnerable to LDAP Injection via the parseDN handling and the LDAP store helpers in X509LDAPCertStoreSpi and LDAPStoreHelper. An attacker can influence LDAP search filters by supplying a crafted X.500 subject or issuer string that is parsed into an unescaped filter value. This lets the attacker alter the directory query used to locate certificates and CRLs, causing the application to retrieve incorrect LDAP entries or fail to find the intended ones, which can break certificate validation and revocation checks.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.84 or higher.

References

medium severity
new

Improper Encoding or Escaping of Output

  • Vulnerable module: org.apache.logging.log4j:log4j-api
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.1.0, org.springframework.boot:spring-boot-starter-web@4.1.0 and others

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-actuator@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 org.apache.logging.log4j:log4j-to-slf4j@2.25.4 org.apache.logging.log4j:log4j-api@2.25.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-actuator@4.1.0 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 org.apache.logging.log4j:log4j-to-slf4j@2.25.4 org.apache.logging.log4j:log4j-api@2.25.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-jackson@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 org.apache.logging.log4j:log4j-to-slf4j@2.25.4 org.apache.logging.log4j:log4j-api@2.25.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 org.apache.logging.log4j:log4j-to-slf4j@2.25.4 org.apache.logging.log4j:log4j-api@2.25.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-validation@4.0.7 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 org.apache.logging.log4j:log4j-to-slf4j@2.25.4 org.apache.logging.log4j:log4j-api@2.25.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-jackson@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 org.apache.logging.log4j:log4j-to-slf4j@2.25.4 org.apache.logging.log4j:log4j-api@2.25.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 org.apache.logging.log4j:log4j-to-slf4j@2.25.4 org.apache.logging.log4j:log4j-api@2.25.4
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.cloud:spring-cloud-config-client@5.0.4 org.springframework.cloud:spring-cloud-starter@5.0.2 org.springframework.boot:spring-boot-starter@4.1.0 org.springframework.boot:spring-boot-starter-logging@4.1.0 org.apache.logging.log4j:log4j-to-slf4j@2.25.4 org.apache.logging.log4j:log4j-api@2.25.4

Overview

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the MapMessage.asJson() method, which emits the bare NaN, Infinity, or -Infinity tokens instead of an RFC 8259-compliant representation. An attacker can emit malformed JSON that corrupts the enclosing log record or disrupts downstream log ingestion and parsing by supplying non-finite floating-point values that the application records in a logged MapMessage. Exploitation requires the application to use the message resolver of JsonTemplateLayout, or another layout relying on MapMessage.asJson(), and to log a MapMessage holding attacker-controlled floating-point values.

Note: This is a bypass of the fix for the vulnerability described in CVE-2026-34481.

Remediation

A fix was pushed into the master branch but not yet published.

References

medium severity
new

Always-Incorrect Control Flow Implementation

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0 and org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation due to the incomplete logging of the effective web.xml when special roles and empty authorization constraints are present. An attacker can bypass intended access restrictions by exploiting the absence of these constraints in the logged configuration.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.119, 10.1.56, 11.0.23 or higher.

References

medium severity
new

Improper Authorization

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@4.1.0 and org.springframework.cloud:spring-cloud-config-server@5.0.4

Detailed paths

  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.22 org.apache.tomcat.embed:tomcat-embed-core@11.0.22
  • Introduced through: ar-ecommerce-platform/config-server@ar-ecommerce-platform/config-server org.springframework.cloud:spring-cloud-config-server@5.0.4 org.springframework.boot:spring-boot-starter-web@4.1.0 org.springframework.boot:spring-boot-starter-tomcat@4.1.0 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0 org.springframework.boot:spring-boot-tomcat@4.1.0 org.apache.tomcat.embed:tomcat-embed-core@11.0.22

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authorization due to the improper enforcement of security constraints in the default servlet when certain HTTP methods or method omissions are configured. An attacker can gain unauthorized access to protected resources by sending requests using HTTP methods that are not properly restricted.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.119, 10.1.56, 11.0.23 or higher.

References