Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: org.springframework.boot:spring-boot-actuator
- Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.0.0
Detailed paths
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-actuator-autoconfigure@4.0.0 › org.springframework.boot:spring-boot-actuator@4.0.0Remediation: Upgrade to org.springframework.boot:spring-boot-starter-actuator@4.0.4.
Overview
Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Actuator CloudFoundry endpoints. An attacker can gain unauthorized access to protected endpoints by sending requests to application endpoints declared under the CloudFoundry Actuator path.
Note:
This is only exploitable if all of the following conditions are met:
the application is a web application
the application contributes an application endpoint that requires authentication under a subpath, like
"/cloudfoundryapplication/admin"
Remediation
Upgrade org.springframework.boot:spring-boot-actuator to version 3.5.12, 4.0.4 or higher.
References
high severity
new
- Vulnerable module: org.springframework.boot:spring-boot-actuator
- Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.0.0
Detailed paths
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-actuator-autoconfigure@4.0.0 › org.springframework.boot:spring-boot-actuator@4.0.0Remediation: Upgrade to org.springframework.boot:spring-boot-starter-actuator@4.0.4.
Overview
Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending requests to these specific paths.
Note:
This is only exploitable if all of the following conditions are met:
the application declares a custom health group (here
"mygroup"), withmanagement.endpoint.health.group.mygroup.includethis health group is exposed under an additional path on the main server, like
management.endpoint.health.group.mygroup.additional-path=server:/healthzthe application contributes an application endpoint that requires authentication under a subpath, like
"/healthz/admin"
Mapping application endpoints under infrastructure endpoints like Actuators is not recommended by the Spring team and doing so is likely to interfere with other configurations and cause behavior problems. This setup is expected to rarely occur in production.
Remediation
Upgrade org.springframework.boot:spring-boot-actuator to version 3.5.12, 4.0.4 or higher.
References
high severity
new
- Vulnerable module: org.springframework.boot:spring-boot-actuator-autoconfigure
- Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.0.0
Detailed paths
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-actuator-autoconfigure@4.0.0Remediation: Upgrade to org.springframework.boot:spring-boot-starter-actuator@4.0.4.
Overview
Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the Actuator CloudFoundry endpoints. An attacker can gain unauthorized access to protected endpoints by sending requests to application endpoints declared under the CloudFoundry Actuator path.
Note:
This is only exploitable if all of the following conditions are met:
the application is a web application
the application contributes an application endpoint that requires authentication under a subpath, like
"/cloudfoundryapplication/admin"
Remediation
Upgrade org.springframework.boot:spring-boot-actuator-autoconfigure to version 3.5.12, 4.0.4 or higher.
References
high severity
new
- Vulnerable module: org.springframework.boot:spring-boot-actuator-autoconfigure
- Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.0.0
Detailed paths
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-actuator-autoconfigure@4.0.0Remediation: Upgrade to org.springframework.boot:spring-boot-starter-actuator@4.0.4.
Overview
Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the configuration of endpoints under paths already assigned to Health Group additional paths. An attacker can gain unauthorized access to protected endpoints by sending requests to these specific paths.
Note:
This is only exploitable if all of the following conditions are met:
the application declares a custom health group (here
"mygroup"), withmanagement.endpoint.health.group.mygroup.includethis health group is exposed under an additional path on the main server, like
management.endpoint.health.group.mygroup.additional-path=server:/healthzthe application contributes an application endpoint that requires authentication under a subpath, like
"/healthz/admin"
Mapping application endpoints under infrastructure endpoints like Actuators is not recommended by the Spring team and doing so is likely to interfere with other configurations and cause behavior problems. This setup is expected to rarely occur in production.
Remediation
Upgrade org.springframework.boot:spring-boot-actuator-autoconfigure to version 3.5.12, 4.0.4 or higher.
References
medium severity
- Module: ch.qos.logback:logback-classic
- Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.0.0
Detailed paths
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-starter@4.0.0 › org.springframework.boot:spring-boot-starter-logging@4.0.0 › ch.qos.logback:logback-classic@1.5.21
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-starter-micrometer-metrics@4.0.0 › org.springframework.boot:spring-boot-starter@4.0.0 › org.springframework.boot:spring-boot-starter-logging@4.0.0 › ch.qos.logback:logback-classic@1.5.21
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: ch.qos.logback:logback-core
- Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.0.0
Detailed paths
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-starter@4.0.0 › org.springframework.boot:spring-boot-starter-logging@4.0.0 › ch.qos.logback:logback-classic@1.5.21 › ch.qos.logback:logback-core@1.5.21
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-starter-micrometer-metrics@4.0.0 › org.springframework.boot:spring-boot-starter@4.0.0 › org.springframework.boot:spring-boot-starter-logging@4.0.0 › ch.qos.logback:logback-classic@1.5.21 › ch.qos.logback:logback-core@1.5.21
Dual license: EPL-1.0, LGPL-2.1
low severity
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: org.springframework.boot:spring-boot-starter-actuator@4.0.0
Detailed paths
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-starter@4.0.0 › org.springframework.boot:spring-boot-starter-logging@4.0.0 › ch.qos.logback:logback-classic@1.5.21 › ch.qos.logback:logback-core@1.5.21Remediation: Upgrade to org.springframework.boot:spring-boot-starter-actuator@4.0.2.
-
Introduced through: cf-toolsuite/spring-boot-starter-runtime-metadata@cf-toolsuite/spring-boot-starter-runtime-metadata#ce4afff57f019b0dd41743f113dc861283f5e9a6 › org.springframework.boot:spring-boot-starter-actuator@4.0.0 › org.springframework.boot:spring-boot-starter-micrometer-metrics@4.0.0 › org.springframework.boot:spring-boot-starter@4.0.0 › org.springframework.boot:spring-boot-starter-logging@4.0.0 › ch.qos.logback:logback-classic@1.5.21 › ch.qos.logback:logback-core@1.5.21Remediation: Upgrade to org.springframework.boot:spring-boot-starter-actuator@4.0.2.
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores during the configuration file processing. An attacker can instantiate arbitrary classes already present on the class path by compromising an existing configuration file.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.5.25 or higher.