Vulnerabilities	40 via 179 paths
Dependencies	40
Source	GitHub
Commit	d83e1c51

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications

Issue type

Vulnerabilities
40
License issues
2

Severity

Critical
3
High
21
Medium
13
Low
5

Status

Open
42
Patched
0
Ignored
0

critical severity

Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.7.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.7.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

Note:

The default readonly initialization parameter value of true is not vulnerable.

This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

References

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability report

critical severity

Time-of-check Time-of-use (TOCTOU) Race Condition

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.7.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.7.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

References

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability report

critical severity

Uncaught Exception

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Uncaught Exception due to the custom Jakarta Authentication ServerAuthContext component which may throw an exception during the authentication process without setting an HTTP status to indicate failure. An attacker can gain unauthorized access by exploiting this unchecked error condition.

Note:

This is only exploitable if Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component that behaves in this way. According to the maintainers, no such cases are known.

PoC

import requests

# Target server configuration
TARGET_URL = "http://example.com/login"  # Replace with your target's authentication URL
TEST_HEADERS = {
    "Content-Type": "application/json"
}
TEST_PAYLOAD = {
    "username": "test_user",  # Sample username
    "password": "invalid_password"  # Invalid password for testing
}

def check_cve_2024_52316(target_url):
    """
    Test for CVE-2024-52316 vulnerability by sending crafted authentication requests.

    Args:
        target_url (str): The URL of the authentication endpoint to test.
    """
    try:
        print(f"[*] Sending test request to {target_url}")
        # Send a POST request with the test payload
        response = requests.post(target_url, json=TEST_PAYLOAD, headers=TEST_HEADERS, timeout=5)
        
        # Analyze the server's response
        if response.status_code in [401, 403]:
            print(f"[SAFE] The server returned an expected HTTP status code: {response.status_code}")
        elif response.status_code == 200:
            print(f"[VULNERABLE] Potential CVE-2024-52316 detected! Server returned status code: {response.status_code}")
        else:
            print(f"[INFO] Unexpected HTTP status code: {response.status_code}")
            print("Response content:", response.text)
    except requests.exceptions.RequestException as e:
        print(f"[ERROR] Failed to connect to the target: {e}")

if __name__ == "__main__":
    print("[START] CVE-2024-52316 Detection Script")
    check_cve_2024_52316(TARGET_URL)

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.96, 10.1.31, 11.0.0 or higher.

References

Uncaught Exception vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.8.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.8.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the unwrap() function in SecureNio2Channel class, during a TLS handshake. Under certain configurations using TLS 1.3, an attacker can trigger an OutOfMemoryError.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Improper Cleanup on Thrown Exception

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.11.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Cleanup on Thrown Exception when handling failed HTTP/2 requests with certain invalid HTTP priority headers. An attacker can trigger an OutOfMemoryException by sending a large number of malicious requests.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.104, 10.1.40, 11.0.6 or higher.

References

Improper Cleanup on Thrown Exception vulnerability report

high severity

Improper Resource Shutdown or Release

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.108, 10.1.44, 11.0.10 or higher.

References

Improper Resource Shutdown or Release vulnerability report

high severity

Insufficient Session Expiration

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.7.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

References

Insufficient Session Expiration vulnerability report

high severity

Integer Overflow or Wraparound

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.8.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.8.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

References

Integer Overflow or Wraparound vulnerability report

high severity

new

Incorrect Authorization

Vulnerable module: org.springframework:spring-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.10.

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Incorrect Authorization via the AnnotationsScanner and AnnotatedMethod class. An attacker can gain unauthorized access to sensitive information by exploiting improper resolution of annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics.

Note: This is only exploitable if security annotations are used on methods in generic superclasses or generic interfaces and the @EnableMethodSecurity feature is enabled.

Remediation

Upgrade org.springframework:spring-core to version 6.2.11 or higher.

References

Incorrect Authorization vulnerability report

high severity

Path Traversal

Vulnerable module: org.springframework:spring-webmvc
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.10.

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Path Traversal via the WebMvc.fn and WebFlux.fn frameworks. An attacker can access any file on the file system that is also accessible to the process in which the Spring application is running by crafting malicious HTTP requests.

Note:

This is only exploitable if the web application uses RouterFunctions to serve static resources and resource handling is explicitly configured with a FileSystemResource location.

Workaround

This vulnerability can be mitigated by using the Spring Security HTTP Firewall or running the application on Tomcat or Jetty.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.13 or higher.

References

Path Traversal vulnerability report

high severity

Path Traversal

Vulnerable module: org.springframework:spring-webmvc
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Path Traversal through the functional web frameworks WebMvc.fn or WebFlux.fn. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible.

Note: This is similar to CVE-2024-38816, but with different input.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.14 or higher.

References

Path Traversal vulnerability report

high severity

Improper Input Validation

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.6.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.6.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.

References

Improper Input Validation vulnerability report

high severity

Relative Path Traversal

Vulnerable module: org.springframework:spring-beans
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.4.9.

Overview

org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.

Affected versions of this package are vulnerable to Relative Path Traversal when deployed on non-compliant Servlet containers. An unauthenticated attacker could gain access to files and directories outside the intended web root.

Notes:

This is only exploitable if the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences and the application serves static resources with Spring resource handling.
Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.
This vulnerability was also fixed in the commercial versions 6.1.22 and 5.3.44.

Remediation

Upgrade org.springframework:spring-beans to version 6.2.10 or higher.

References

Relative Path Traversal vulnerability report

high severity

Path Equivalence

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.9.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Path Equivalence in the doPut() function in DefaultServlet.java, which insecurely replaces path separators with .s.

If the Default Servlet is configured with writes enabled - which it is not by default - a user can exploit Tomcat's partial PUT functionality to achieve code execution via deserialization. The target URL containing sensitive uploaded files must be a sub-directory of a target URL for public uploads, and the malicious user must know the names of the target sensitive files, which are also uploaded using a partial PUT. If both attacker and target application are using the default storage location and it contains a library that deserializes untrusted code, the attacker can trigger the execution of malicious code.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.99, 10.1.35, 11.0.3 or higher.

References

Path Equivalence vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-websocket
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) when a WebSocket client can keep a WebSocket connection open which is leading to increased resource consumption.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-websocket to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: ch.qos.logback:logback-classic
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.12, 1.4.12 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

Vulnerable module: ch.qos.logback:logback-classic
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.

Note:

Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.14, 1.4.14 or higher.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: ch.qos.logback:logback-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.

Overview

ch.qos.logback:logback-core is a logback-core module.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.12, 1.4.12 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

Vulnerable module: ch.qos.logback:logback-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.7.

Overview

ch.qos.logback:logback-core is a logback-core module.

Note:

Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.14, 1.4.14 or higher.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

high severity

Open Redirect

Vulnerable module: org.springframework:spring-web
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.9.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical components such as path, query, and fragment it may evade validation.

Remediation

Upgrade org.springframework:spring-web to version 5.3.32, 6.0.17, 6.1.4 or higher.

References

Open Redirect vulnerability report

high severity

Open Redirect

Vulnerable module: org.springframework:spring-web
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.10.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.10.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when using UriComponentsBuilder to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22243, but with different input.

Remediation

Upgrade org.springframework:spring-web to version 5.3.33, 6.0.18, 6.1.5 or higher.

References

Open Redirect vulnerability report

medium severity

Session Fixation

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Session Fixation via the rewrite valve if enabled for a web application. An attacker can gain unauthorized access to another user's session by crafting a request that allows session fixation.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

References

Session Fixation vulnerability report

medium severity

Denial of Service (DoS)

Vulnerable module: org.springframework:spring-web
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.9.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.9.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the form of improper ETag prefix validation when parsing ETags from the If-Match or If-None-Match request headers. An attacker can exploit this vulnerability to cause denial of service by sending a maliciously crafted conditional HTTP request.

Workaround

Users of older, unsupported versions could enforce a size limit on If-Match and If-None-Match headers, e.g. through a Filter.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.springframework:spring-web to version 5.3.38, 6.0.23, 6.1.12 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Arbitrary Code Execution

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.yaml:snakeyaml@1.33

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.0.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.yaml:snakeyaml@1.33

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.0.

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the Constructor class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the SafeConstructor class.

The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation.

Remediation

Upgrade org.yaml:snakeyaml to version 2.0 or higher.

References

Arbitrary Code Execution vulnerability report

medium severity

Authentication Bypass Using an Alternate Path or Channel

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

References

Authentication Bypass Using an Alternate Path or Channel vulnerability report

medium severity

Improper Handling of Case Sensitivity

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.12.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.12.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the pathInfo component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the pathInfo component by exploiting this vulnerability on a case insensitive file system.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.105, 10.1.41, 11.0.7 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

medium severity

Improper Neutralization

Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-tomcat@3.1.5 › org.apache.tomcat.embed:tomcat-embed-websocket@10.1.15 › org.apache.tomcat.embed:tomcat-embed-core@10.1.15

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.11.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Neutralization in the RewriteValve class, which handles rewrite rules. If rewrite rules are configured to enforce security constraints, those security constraints can be bypassed in some cases by sending a malicious request involving ; or ? characters.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.104, 10.1.40, 11.0.6 or higher.

References

Improper Neutralization vulnerability report

medium severity

Improper Neutralization of Special Elements

Vulnerable module: ch.qos.logback:logback-classic
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements via the JaninoEventEvaluator extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.3.15, 1.5.13 or higher.

References

Improper Neutralization of Special Elements vulnerability report

medium severity

Improper Neutralization of Special Elements

Vulnerable module: ch.qos.logback:logback-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.

Overview

ch.qos.logback:logback-core is a logback-core module.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.3.15, 1.5.13 or higher.

References

Improper Neutralization of Special Elements vulnerability report

medium severity

Open Redirect

Vulnerable module: org.springframework:spring-web
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.11.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Open Redirect when UriComponentsBuilder is used to parse an externally provided URL and perform validation checks on the host of the parsed URL.

Note: This is the same as CVE-2024-22259 and CVE-2024-22243, but with different input.

Remediation

Upgrade org.springframework:spring-web to version 5.3.34, 6.0.19, 6.1.6 or higher.

References

Open Redirect vulnerability report

medium severity

Denial of Service (DoS)

Vulnerable module: org.springframework:spring-web
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.6.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.6.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.1.6.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) when providing a specially crafted HTTP request.

To be vulnerable, these conditions must all be met (which is usually the case for applications dependent on org.springframework.boot:spring-boot-actuator):

The affected application uses Spring MVC or Spring WebFlux.
io.micrometer:micrometer-core is on the classpath.
An ObservationRegistry is configured in the application to record observations.

Workaround

This vulnerability can be avoided by disabling web observations: management.metrics.enable.http.server.requests=false

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.springframework:spring-web to version 6.0.14 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

HTTP Response Splitting

Vulnerable module: org.springframework:spring-web
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.13.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to HTTP Response Splitting via the Content-Disposition header where the filename parameter value could contain non-printable characters, causing parsing issues for HTTP clients. An attacker can cause the download of files containing malicious commands by injecting content into the response.

Notes:

This is only exploitable if the header is prepared with org.springframework.http.ContentDisposition, the filename is set via ContentDisposition.Builder#filename(String, Charset), the value is derived from unsanitized user input, and the attacker can inject malicious content into the downloaded response.
The vulnerability was also fixed in the 6.0.29 commercial version.

Remediation

Upgrade org.springframework:spring-web to version 6.1.21, 6.2.8 or higher.

References

HTTP Response Splitting vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

Module: ch.qos.logback:logback-classic
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

Module: ch.qos.logback:logback-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

low severity

Server-side Request Forgery (SSRF)

Vulnerable module: ch.qos.logback:logback-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-starter-logging@3.1.5 › ch.qos.logback:logback-classic@1.4.11 › ch.qos.logback:logback-core@1.4.11

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.3.8.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the SaxEventRecorder process. An attacker can forge requests by compromising logback configuration files in XML.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.3.15, 1.5.13 or higher.

References

Server-side Request Forgery (SSRF) vulnerability report

low severity

Improper Handling of Case Sensitivity

Vulnerable module: org.springframework:spring-context
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.

Overview

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-context to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity

Improper Handling of Case Sensitivity

Vulnerable module: org.springframework:spring-core
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-expression@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework.boot:spring-boot-starter@3.1.5 › org.springframework.boot:spring-boot-autoconfigure@3.1.5 › org.springframework.boot:spring-boot@3.1.5 › org.springframework:spring-context@6.0.13 › org.springframework:spring-aop@6.0.13 › org.springframework:spring-beans@6.0.13 › org.springframework:spring-core@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-core to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity

Improper Handling of Case Sensitivity

Vulnerable module: org.springframework:spring-web
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework.boot:spring-boot-starter-json@3.1.5 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.
Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13 › org.springframework:spring-web@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-web to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity

Improper Handling of Case Sensitivity

Vulnerable module: org.springframework:spring-webmvc
Introduced through: org.springframework.boot:spring-boot-starter-web@3.1.5

Detailed paths

Introduced through: kyriosdata/exemplo@kyriosdata/exemplo#d83e1c512ab563209f00211c499e2149bf007c78 › org.springframework.boot:spring-boot-starter-web@3.1.5 › org.springframework:spring-webmvc@6.0.13

Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@3.2.11.

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

Vulnerabilities

Dependencies

Source

Commit

Find, fix and prevent vulnerabilities in your code.

critical severity

Time-of-check Time-of-use (TOCTOU) Race Condition

Detailed paths

Overview

Remediation

References

critical severity

Time-of-check Time-of-use (TOCTOU) Race Condition

Detailed paths

Overview

Remediation

References

critical severity

Uncaught Exception

Detailed paths

Overview

PoC

Remediation

References

high severity

Allocation of Resources Without Limits or Throttling

Detailed paths

Overview

Remediation

References

high severity

Allocation of Resources Without Limits or Throttling

Detailed paths

Overview

Remediation

References

high severity

Allocation of Resources Without Limits or Throttling

Detailed paths

Overview

Remediation

References

high severity

Improper Cleanup on Thrown Exception

Detailed paths

Overview

Remediation

References

high severity

Improper Resource Shutdown or Release

Detailed paths

Overview

Remediation

References

high severity

Insufficient Session Expiration

Detailed paths

Overview

Remediation

References

high severity

Integer Overflow or Wraparound

Detailed paths

Overview

Remediation

References

high severity new

Incorrect Authorization

Detailed paths

Overview

Remediation

References

high severity

Path Traversal

Detailed paths

Overview

Workaround

Remediation

References

high severity

high severity

new