Vulnerabilities

 15 via 132 paths

Dependencies

 167

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 7
  • 5
  • 2
Status
  • 15
  • 0
  • 0

critical severity
new

Missing Authorization

  • Vulnerable module: org.springframework.boot:spring-boot-security
  • Introduced through: org.springframework.boot:spring-boot-starter-security@4.0.5

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-security@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.

Overview

Affected versions of this package are vulnerable to Missing Authorization causing web security to be ineffective and allowing unauthorized access to all endpoints.

Note:

This is only exploitable if the following conditions are met:

  • the application is servlet-based;

  • the application has no Spring Security configuration of its own and relies on the default web security filter chain;

  • the application does not depend on spring-boot-health.

Remediation

Upgrade org.springframework.boot:spring-boot-security to version 4.0.6 or higher.

References

Missing Authorization vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: com.vaadin:vaadin-spring-boot-starter@25.1.5

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.20 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV LOCK and PROPFIND XML request bodies. An attacker can cause excessive resource consumption by sending specially crafted requests that trigger unbounded reads.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity
new

Access Control Bypass

  • Vulnerable module: org.springframework.security:spring-security-config
  • Introduced through: org.springframework.boot:spring-boot-starter-security@4.0.5

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-security@4.0.5 org.springframework.security:spring-security-config@7.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.

Overview

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Access Control Bypass in the XML authorization rules processing when the servlet-path attribute is used. An attacker can gain unauthorized access to protected endpoints by crafting requests that bypass intended authorization checks.

Remediation

Upgrade org.springframework.security:spring-security-config to version 7.0.5 or higher.

References

Access Control Bypass vulnerability report

high severity
new

Access Control Bypass

  • Vulnerable module: org.springframework.security:spring-security-config
  • Introduced through: org.springframework.boot:spring-boot-starter-security@4.0.5

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-security@4.0.5 org.springframework.security:spring-security-config@7.0.4
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.

Overview

org.springframework.security:spring-security-config is a security configuration package for Spring Framework.

Affected versions of this package are vulnerable to Access Control Bypass in the securityMatchers component when a PathPatternRequestMatcher.Builder bean is used to prepend a servlet path. An attacker can bypass authentication, authorization, and other security controls by crafting requests that are not properly matched to the intended filter chain.

Remediation

Upgrade org.springframework.security:spring-security-config to version 7.0.5 or higher.

References

Access Control Bypass vulnerability report

high severity

Improper Authentication

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: com.vaadin:vaadin-spring-boot-starter@25.1.5

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.20 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authentication in processOCSPRequest(), which is part of the the CLIENT_CERT authentication process. In some "edge cases", an attacker can trigger a soft-fail of OCSP checks when soft-fail is disabled.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.117, 10.1.54, 11.0.21 or higher.

References

Improper Authentication vulnerability report

high severity
new

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • Vulnerable module: org.springframework.boot:spring-boot
  • Introduced through: org.springframework.boot:spring-boot-devtools@4.0.5, org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 and others

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-devtools@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-devtools@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-devtools@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-devtools@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-security@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-http-converter@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-commons@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-sql@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-webmvc@4.0.5 org.springframework.boot:spring-boot-http-converter@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-jackson@4.0.5 org.springframework.boot:spring-boot-jackson@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-webmvc@4.0.5 org.springframework.boot:spring-boot-servlet@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-commons@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-sql@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-jackson@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.springframework.boot:spring-boot-web-server@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-web-server@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.springframework.boot:spring-boot-web-server@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-sql@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.

Overview

Affected versions of this package are vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) for the property source for ${random.value} (as well as ${random.int} and ${random.long}). Standard PRNGs (like java.util.Random) use deterministic mathematical algorithms starting from a seed value. Because the state space is relatively small and lacks ongoing entropy (true randomness), an attacker who observes a sequence of generated values can mathematically reverse-engineer the seed. Once the seed is known, the attacker can predict all past and future values generated by that PRNG. If these values are used to generate security-sensitive assets like API keys, session tokens, or passwords, the system becomes compromised.

Remediation

Upgrade org.springframework.boot:spring-boot to version 3.5.14, 4.0.6 or higher.

References

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability report

high severity
new

Timing Attack

  • Vulnerable module: org.springframework.boot:spring-boot-devtools
  • Introduced through: org.springframework.boot:spring-boot-devtools@4.0.5

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-devtools@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-devtools@4.0.6.

Overview

Affected versions of this package are vulnerable to Timing Attack in DevTool due to comparing the user-provided "remote secret" against the actual secret using standard string comparison logic (like String.equals() or ==). Standard string comparisons are not constant-time. They evaluate character by character and exit immediately (return false) as soon as they find the first mismatch. Because the comparison stops early upon a mismatch, it takes slightly longer to reject a guess that gets the first few characters correct than a guess that is completely wrong. An attacker on the same network can measure these microsecond differences to deduce the secret character by character.

Remediation

Upgrade org.springframework.boot:spring-boot-devtools to version 3.5.14, 4.0.6 or higher.

References

Timing Attack vulnerability report

high severity
new

Insecure Temporary File

  • Vulnerable module: org.springframework.boot:spring-boot
  • Introduced through: org.springframework.boot:spring-boot-devtools@4.0.5, org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 and others

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-devtools@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-devtools@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-devtools@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-devtools@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-security@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-http-converter@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-commons@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-sql@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-webmvc@4.0.5 org.springframework.boot:spring-boot-http-converter@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-jackson@4.0.5 org.springframework.boot:spring-boot-jackson@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-webmvc@4.0.5 org.springframework.boot:spring-boot-servlet@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-commons@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-sql@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-jackson@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.springframework.boot:spring-boot-web-server@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-web-server@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.springframework.boot:spring-boot-web-server@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-sql@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.

Overview

Affected versions of this package are vulnerable to Insecure Temporary File due to the ApplicationTemp mechanism creating a temporary directory using a predictable name. Because the name can be easily guessed, a local attacker on the same server can maliciously pre-create this directory before the Spring Boot application starts. When the application launches, it would blindly use the existing directory without verifying if it is actually owned by the application's user or the attacker.

Remediation

Upgrade org.springframework.boot:spring-boot to version 3.5.14, 4.0.6 or higher.

References

Insecure Temporary File vulnerability report

medium severity
new

Timing Attack

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: com.vaadin:vaadin-spring-boot-starter@25.1.5

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.20 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can determine whether a guessed secret is correct by measuring the time taken to compare secrets, potentially allowing unauthorized access through a timing side-channel attack.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Timing Attack vulnerability report

medium severity
new

Exposure of Private Personal Information to an Unauthorized Actor

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-websocket
  • Introduced through: com.vaadin:vaadin-spring-boot-starter@25.1.5

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.20

Overview

Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in WebSocket client during authentication. An attacker can obtain sensitive HTTP authentication headers by initiating a WebSocket handshake with a malicious host.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-websocket to version 8.0.1, 9.0.0.M1, 9.0.118, 10.1.55, 11.0.22 or higher.

References

Exposure of Private Personal Information to an Unauthorized Actor vulnerability report

medium severity

Improper Encoding or Escaping of Output

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: com.vaadin:vaadin-spring-boot-starter@25.1.5

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.20 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.apache.tomcat.embed:tomcat-embed-core@11.0.20
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in JsonAccessLogValve(), which relies on an unescaped append() in generating JSON logs. If non-default values are used for the Connector attributes relaxedPathChars or relaxedQueryChars, an attacker can inject malicious JSON into logs.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.117, 10.1.54, 11.0.21 or higher.

References

Improper Encoding or Escaping of Output vulnerability report

medium severity

LDAP Injection

  • Vulnerable module: org.apache.derby:derby
  • Introduced through: org.apache.derby:derby@10.16.1.1

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.apache.derby:derby@10.16.1.1
    Remediation: Upgrade to org.apache.derby:derby@10.17.1.0.

Overview

org.apache.derby:derby is a database engine by Apache.

Affected versions of this package are vulnerable to LDAP Injection due to improper LDAP authentication checks. An attacker can fill up the disk by creating junk databases and execute malware visible to and executable by the account which booted the server. Additionally, if the databases aren't also protected by SQL GRANT/REVOKE authorization, the attacker can view and corrupt sensitive data, and run sensitive database functions and procedures.

Remediation

Upgrade org.apache.derby:derby to version 10.17.1.0 or higher.

References

LDAP Injection vulnerability report

medium severity
new

Symlink Attack

  • Vulnerable module: org.springframework.boot:spring-boot
  • Introduced through: org.springframework.boot:spring-boot-devtools@4.0.5, org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 and others

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-devtools@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-devtools@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-devtools@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-devtools@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-security@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-http-converter@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-commons@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-sql@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-webmvc@4.0.5 org.springframework.boot:spring-boot-http-converter@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-jackson@4.0.5 org.springframework.boot:spring-boot-jackson@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-webmvc@4.0.5 org.springframework.boot:spring-boot-servlet@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-commons@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-sql@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-jackson@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.springframework.boot:spring-boot-web-server@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-web-server@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.0.5 org.springframework.boot:spring-boot-tomcat@4.0.5 org.springframework.boot:spring-boot-web-server@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-sql@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-data-jpa@4.0.5 org.springframework.boot:spring-boot-hibernate@4.0.5 org.springframework.boot:spring-boot-jpa@4.0.5 org.springframework.boot:spring-boot-jdbc@4.0.5 org.springframework.boot:spring-boot-transaction@4.0.5 org.springframework.boot:spring-boot-persistence@4.0.5 org.springframework.boot:spring-boot@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.

Overview

Affected versions of this package are vulnerable to Symlink Attack due to insecure handling of Process ID (PID) files. When an application uses the ApplicationPidFileWriter, it writes its PID to a predictable file system path. A local attacker with write access to the PID file's directory can create a symbolic link (symlink) at that path. When the Spring Boot application starts, it follows this symlink and overwrites the target file with its PID. This allows the attacker to corrupt or "clobber" sensitive system files, potentially leading to a denial of service or system instability.

Remediation

Upgrade org.springframework.boot:spring-boot to version 3.5.14, 4.0.6 or higher.

References

Symlink Attack vulnerability report

low severity
new

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.springframework.boot:spring-boot-autoconfigure
  • Introduced through: org.springframework.boot:spring-boot-devtools@4.0.5, org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 and others

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-devtools@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-devtools@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-jackson@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.

Overview

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to establishing SSL connections to Cassandra without verifying that the hostname in the server's SSL certificate actually matched the hostname of the server being connected to. While the application might have verified that the certificate was signed by a trusted Certificate Authority (CA), failing to verify the hostname means an attacker could present any valid certificate (even one meant for a different domain) to successfully intercept the connection, leaving the application vulnerable to Man-in-the-Middle (MitM) attacks.

Remediation

Upgrade org.springframework.boot:spring-boot-autoconfigure to version 3.5.14, 4.0.6 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

low severity
new

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.springframework.boot:spring-boot-autoconfigure
  • Introduced through: org.springframework.boot:spring-boot-devtools@4.0.5, org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 and others

Detailed paths

  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-devtools@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-devtools@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-security@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-security@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring org.springframework.boot:spring-boot-starter-data-jpa@4.0.5 org.springframework.boot:spring-boot-starter-jdbc@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-data-jpa@4.0.6.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-jackson@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.
  • Introduced through: mmilk23/playground-spring@mmilk23/playground-spring com.vaadin:vaadin-spring-boot-starter@25.1.5 org.springframework.boot:spring-boot-starter-webmvc@4.0.5 org.springframework.boot:spring-boot-starter-tomcat@4.0.5 org.springframework.boot:spring-boot-starter@4.0.5 org.springframework.boot:spring-boot-autoconfigure@4.0.5
    Remediation: Upgrade to com.vaadin:vaadin-spring-boot-starter@25.1.5.

Overview

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when using an SSL bundle. This effectively weakens TLS by allowing connections without verifying the server identity (classic MITM risk).

Remediation

Upgrade org.springframework.boot:spring-boot-autoconfigure to version 3.5.14, 4.0.6 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report