Vulnerabilities

 2 via 5 paths

Dependencies

 168

Source

 GitHub

Commit

 3bdf73be

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 2
  • 2
Severity
  • 1
  • 3
Status
  • 4
  • 0
  • 0

high severity

Incorrect Authorization

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: com.vaadin:vaadin-spring-boot-starter@25.1.0

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter-tomcat@4.0.2 org.springframework.boot:spring-boot-tomcat@4.0.2 org.apache.tomcat.embed:tomcat-embed-core@11.0.15
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.0.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter-tomcat@4.0.2 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.2 org.apache.tomcat.embed:tomcat-embed-core@11.0.15
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.0.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter-tomcat@4.0.2 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.2 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.15 org.apache.tomcat.embed:tomcat-embed-core@11.0.15
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.0.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter-tomcat@4.0.2 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.2 org.springframework.boot:spring-boot-tomcat@4.0.2 org.apache.tomcat.embed:tomcat-embed-core@11.0.15
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.0.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Incorrect Authorization when using an OCSP responder. OCSP response verification and freshness checks can be bypassed, allowing certificate revocation to be bypassed.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.114, 10.1.52, 11.0.18 or higher.

References

Incorrect Authorization vulnerability report

medium severity

LDAP Injection

  • Vulnerable module: org.apache.derby:derby
  • Introduced through: org.apache.derby:derby@10.16.1.1

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 org.apache.derby:derby@10.16.1.1
    Remediation: Upgrade to org.apache.derby:derby@10.17.1.0.

Overview

org.apache.derby:derby is a database engine by Apache.

Affected versions of this package are vulnerable to LDAP Injection due to improper LDAP authentication checks. An attacker can fill up the disk by creating junk databases and execute malware visible to and executable by the account which booted the server. Additionally, if the databases aren't also protected by SQL GRANT/REVOKE authorization, the attacker can view and corrupt sensitive data, and run sensitive database functions and procedures.

Remediation

Upgrade org.apache.derby:derby to version 10.17.1.0 or higher.

References

LDAP Injection vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-classic
  • Introduced through: org.springframework.boot:spring-boot-starter-data-jpa@4.0.2, org.springframework.boot:spring-boot-starter-security@4.0.2 and others

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 org.springframework.boot:spring-boot-starter-data-jpa@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 org.springframework.boot:spring-boot-starter-security@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 org.springframework.boot:spring-boot-starter-data-jpa@4.0.2 org.springframework.boot:spring-boot-starter-jdbc@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter-jackson@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter-tomcat@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-data-jpa@4.0.2, org.springframework.boot:spring-boot-starter-security@4.0.2 and others

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 org.springframework.boot:spring-boot-starter-data-jpa@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25 ch.qos.logback:logback-core@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 org.springframework.boot:spring-boot-starter-security@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25 ch.qos.logback:logback-core@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25 ch.qos.logback:logback-core@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 org.springframework.boot:spring-boot-starter-data-jpa@4.0.2 org.springframework.boot:spring-boot-starter-jdbc@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25 ch.qos.logback:logback-core@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter-jackson@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25 ch.qos.logback:logback-core@1.5.25
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring#3bdf73be348bb5b26827925adcf53e815849b0b6 com.vaadin:vaadin-spring-boot-starter@25.1.0 org.springframework.boot:spring-boot-starter-webmvc@4.0.2 org.springframework.boot:spring-boot-starter-tomcat@4.0.2 org.springframework.boot:spring-boot-starter@4.0.2 org.springframework.boot:spring-boot-starter-logging@4.0.2 ch.qos.logback:logback-classic@1.5.25 ch.qos.logback:logback-core@1.5.25

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report