Find, fix and prevent vulnerabilities in your code.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Race Condition on connection close when using the APR/Native connector. An attacker could trigger a JVM crash by rapidly opening and closing HTTP/2 connections. The likelihood of hitting the race condition increases if the connections are closed from the client side.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107 or higher.

References

• Apache Advisory
• Apache Tomcat Advisory
• GitHub Commit

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

There is no fixed version for commons-lang:commons-lang.

References

• Apache Pony Mail
• GitHub Commit

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

• Apache Pony Mail
• GitHub Commit

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow via the parsing of nested groups or series of SGROUP tags as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. An attacker can cause infinite recursion by sending malicious Protocol Buffer data.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.25.5, 4.27.5, 4.28.2 or higher.

References

• GitHub Commit
• GitHub Commit

Overview

com.thoughtworks.xstream:xstream is a simple library to serialize objects to XML and back again.

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to a manipulated binary input stream. An attacker can terminate the application with a stack overflow error resulting in a denial of service by manipulating the processed input stream when configured to use the BinaryStreamDriver.

Workaround

This vulnerability can be mitigated by catching the StackOverflowError in the client code calling XStream.

PoC

Prepare the manipulated data and provide it as input for a XStream instance using the BinaryDriver:

final byte[] byteArray = new byte[36000];
for (int i = 0; i < byteArray.length / 4; i++) {
      byteArray[i * 4] = 10;
      byteArray[i * 4 + 1] = -127;
      byteArray[i * 4 + 2] = 0;
      byteArray[i * 4 + 3] = 0;
}

XStream xstream = new XStream(new BinaryStreamDriver());
xstream.fromXML(new ByteArrayInputStream(byteArray));

As soon as the data gets unmarshalled, the endless recursion is entered and the executing thread is aborted with a stack overflow error.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

Upgrade com.thoughtworks.xstream:xstream to version 1.4.21 or higher.

References

• GitHub Commit
• GitHub Commit
• XStream Advisory

Overview

commons-beanutils:commons-beanutils is a provides an easy-to-use but flexible wrapper around reflection and introspection.

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the getProperty and getNestedProperty methods of the PropertyUtilsBean class. An attacker can execute arbitrary code by accessing the declaredClass property of Java enum objects, which allows access to the ClassLoader.

Note:

The BeanIntrospector class that can mitigate this vulnerability was added in version 1.9.2 but its usage was not enabled by default.

Remediation

Upgrade commons-beanutils:commons-beanutils to version 1.11.0 or higher.

References

• Apache Advisory
• GitHub Commit
• GitHub Commit

Overview

Affected versions of this package are vulnerable to XML Injection when processing XML data with tags containing references to system properties or environment variables. An attacker can access sensitive information, such as credentials, file paths, or system configuration details, by submitting malicious input including such references.

Remediation

Upgrade io.minio:minio to version 8.6.0 or higher.

References

• GitHub Commit

Overview

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the mishandling of unbalanced comment strings in JSONTokener.java. An attacker can execute arbitrary code or cause a denial of service by injecting malformed input that exploits this flaw.

Remediation

There is no fixed version for net.sf.json-lib:json-lib.

References

• GitHub Commit
• GitHub Commit

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

References

• Apache Tomcat Advisory
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• Apache Tomcat Thread
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

References

• Apache Tomcat Advisory
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• GitHub Commit

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the unwrap() function in SecureNio2Channel class, during a TLS handshake. Under certain configurations using TLS 1.3, an attacker can trigger an OutOfMemoryError.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

References

• Apache Tomcat 10 Advisory
• Apache Tomcat 11 Advisory
• Apache Tomcat 9 Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Cleanup on Thrown Exception when handling failed HTTP/2 requests with certain invalid HTTP priority headers. An attacker can trigger an OutOfMemoryException by sending a large number of malicious requests.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.104, 10.1.40, 11.0.6 or higher.

References

• Apache Mailing List
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• GitHub Commit
• OSS Security Advisory
• PoC
• Exploit DB
• PoC in GitHub

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.108, 10.1.44, 11.0.10 or higher.

References

• Apache Thread
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

References

• Apache Mailing List
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• Apache Tomcat Advisory
• GitHub Commit
• GitHub Commit
• GitHub Commit

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

References

• Apache Advisory
• Apache Tomcat Advisory
• GitHub Commit

Overview

Affected versions of this package are vulnerable to Out-of-bounds Write due to the handling of deeply nested JSON input. An attacker can cause Java stack overflow exception and denial of service.

PoC

import jakarta.json.Json;
import jakarta.json.stream.JsonParser;

import java.io.StringReader;

public class Main {
    public static void main(String[] args) {
        try {
            String json = createDeepNestedDoc(50000);
            try (JsonParser parser = Json.createParser(new StringReader(json))) {
                while (parser.hasNext()) {
                    JsonParser.Event ev = parser.next();
                    if (ev.name().equals("START_ARRAY")) {
                        parser.getArray();
                    }
                }
            }
        } catch (Throwable t) {
            t.printStackTrace();
        }
    }

    private static String createDeepNestedDoc(final int depth) {
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        for (int i = 0; i < depth; i++) {
            sb.append("{ \"a\": [");
        }
        sb.append(" \"val\" ");
        for (int i = 0; i < depth; i++) {
            sb.append("]}");
        }
        sb.append("]");
        return sb.toString();
    }
}

Remediation

Upgrade org.eclipse.parsson:parsson to version 1.0.4, 1.1.3 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Issue
• GitLab Issue

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Incorrect Authorization via the AnnotationsScanner and AnnotatedMethod class. An attacker can gain unauthorized access to sensitive information by exploiting improper resolution of annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics.

Note: This is only exploitable if security annotations are used on methods in generic superclasses or generic interfaces and the @EnableMethodSecurity feature is enabled.

Remediation

Upgrade org.springframework:spring-core to version 6.2.11 or higher.

References

• GitHub Commit
• GitHub Issue
• GitHub Release
• Vendor Advisory

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Path Traversal via the WebMvc.fn and WebFlux.fn frameworks. An attacker can access any file on the file system that is also accessible to the process in which the Spring application is running by crafting malicious HTTP requests.

Note:

This is only exploitable if the web application uses RouterFunctions to serve static resources and resource handling is explicitly configured with a FileSystemResource location.

Workaround

This vulnerability can be mitigated by using the Spring Security HTTP Firewall or running the application on Tomcat or Jetty.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.13 or higher.

References

• GitHub Commit
• Spring Security Advisory
• Nuclei Templates
• PoC in GitHub

Overview

org.springframework:spring-webmvc is a package that provides Model-View-Controller (MVC) architecture and ready components that can be used to develop flexible and loosely coupled web applications.

Affected versions of this package are vulnerable to Path Traversal through the functional web frameworks WebMvc.fn or WebFlux.fn. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible.

Note: This is similar to CVE-2024-38816, but with different input.

Remediation

Upgrade org.springframework:spring-webmvc to version 6.1.14 or higher.

References

• GitHub Commit
• Spring Security Advisory
• PoC in GitHub