Vulnerabilities

 2 via 3 paths

Dependencies

 30

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: tools.jackson.core:jackson-core
  • Introduced through: org.springframework.data:spring-data-elasticsearch@6.0.5

Detailed paths

  • Introduced through: fherbreteau/spring-data-elasticsearch-extension@fherbreteau/spring-data-elasticsearch-extension org.springframework.data:spring-data-elasticsearch@6.0.5 co.elastic.clients:elasticsearch-java@9.2.8 tools.jackson.core:jackson-core@3.1.0
  • Introduced through: fherbreteau/spring-data-elasticsearch-extension@fherbreteau/spring-data-elasticsearch-extension org.springframework.data:spring-data-elasticsearch@6.0.5 co.elastic.clients:elasticsearch-java@9.2.8 tools.jackson.core:jackson-databind@3.1.0 tools.jackson.core:jackson-core@3.1.0

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the enforcement of document length constraints in blocking, async, and DataInput parser processes. An attacker can cause excessive resource consumption by submitting oversized JSON documents that bypass configured size limits.

Remediation

Upgrade tools.jackson.core:jackson-core to version 3.1.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity
new

Missing Critical Step in Authentication

  • Vulnerable module: org.apache.httpcomponents.client5:httpclient5
  • Introduced through: org.springframework.data:spring-data-elasticsearch@6.0.5

Detailed paths

  • Introduced through: fherbreteau/spring-data-elasticsearch-extension@fherbreteau/spring-data-elasticsearch-extension org.springframework.data:spring-data-elasticsearch@6.0.5 co.elastic.clients:elasticsearch-java@9.2.8 co.elastic.clients:elasticsearch-rest5-client@9.2.8 org.apache.httpcomponents.client5:httpclient5@5.6

Overview

org.apache.httpcomponents.client5:httpclient5 is a HttpClient component of the Apache HttpComponents project.

Affected versions of this package are vulnerable to Missing Critical Step in Authentication in the AuthenticationHandler's handleResponse() method. The client may accept SCRAM-SHA-256 authentication by default, without mutual verification.

Remediation

Upgrade org.apache.httpcomponents.client5:httpclient5 to version 5.6.1 or higher.

References

Missing Critical Step in Authentication vulnerability report