Vulnerabilities

 5 via 20 paths

Dependencies

 160

Source

 GitHub

Commit

 566e217f

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 5
  • 3
Severity
  • 3
  • 4
  • 1
Status
  • 8
  • 0
  • 0

high severity

Uncontrolled Recursion

  • Vulnerable module: org.apache.commons:commons-lang3
  • Introduced through: io.github.springboot-addons:spring-boot-starter-httpclient5-actuator@1.2.1, io.github.springboot-addons:spring-boot-starter-httpclient5-resilience4j@1.2.1 and others

Detailed paths

  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-actuator@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 org.apache.commons:commons-lang3@3.17.0
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-resilience4j@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 org.apache.commons:commons-lang3@3.17.0
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-actuator@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 org.apache.commons:commons-text@1.12.0 org.apache.commons:commons-lang3@3.17.0
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-resilience4j@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 org.apache.commons:commons-text@1.12.0 org.apache.commons:commons-lang3@3.17.0
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.cloud:spring-cloud-starter-openfeign@5.0.0-M2 org.springframework.cloud:spring-cloud-openfeign-core@5.0.0-M2 io.github.openfeign:feign-form-spring@13.6 org.apache.commons:commons-text@1.12.0 org.apache.commons:commons-lang3@3.17.0
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.13 org.springdoc:springdoc-openapi-starter-webmvc-api@2.8.13 org.springdoc:springdoc-openapi-starter-common@2.8.13 io.swagger.core.v3:swagger-core-jakarta@2.2.36 org.apache.commons:commons-lang3@3.17.0
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.13.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • Vulnerable module: commons-beanutils:commons-beanutils
  • Introduced through: io.github.springboot-addons:spring-boot-starter-httpclient5-actuator@1.2.1 and io.github.springboot-addons:spring-boot-starter-httpclient5-resilience4j@1.2.1

Detailed paths

  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-actuator@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 commons-beanutils:commons-beanutils@1.9.4
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-resilience4j@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 commons-beanutils:commons-beanutils@1.9.4

Overview

commons-beanutils:commons-beanutils is a provides an easy-to-use but flexible wrapper around reflection and introspection.

Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') via the getProperty and getNestedProperty methods of the PropertyUtilsBean class. An attacker can execute arbitrary code by accessing the declaredClass property of Java enum objects, which allows access to the ClassLoader.

Note:

The BeanIntrospector class that can mitigate this vulnerability was added in version 1.9.2 but its usage was not enabled by default.

Remediation

Upgrade commons-beanutils:commons-beanutils to version 1.11.0 or higher.

References

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: commons-fileupload:commons-fileupload
  • Introduced through: org.springframework.cloud:spring-cloud-starter-openfeign@5.0.0-M2

Detailed paths

  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.cloud:spring-cloud-starter-openfeign@5.0.0-M2 org.springframework.cloud:spring-cloud-openfeign-core@5.0.0-M2 io.github.openfeign:feign-form-spring@13.6 commons-fileupload:commons-fileupload@1.5

Overview

commons-fileupload:commons-fileupload is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling when processing multipart headers. An attacker can exhaust system resources by sending malicious requests with excessively large individual multipart headers.

Remediation

Upgrade commons-fileupload:commons-fileupload to version 1.6.0 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Uncontrolled Recursion

  • Vulnerable module: com.nimbusds:nimbus-jose-jwt
  • Introduced through: org.springframework.security:spring-security-oauth2-client@6.5.5

Detailed paths

  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.security:spring-security-oauth2-client@6.5.5 com.nimbusds:oauth2-oidc-sdk@9.43.6 com.nimbusds:nimbus-jose-jwt@9.37.3

Overview

com.nimbusds:nimbus-jose-jwt is a library for JSON Web Tokens (JWT)

Affected versions of this package are vulnerable to Uncontrolled Recursion due to the improper handling JWT claim sets containing deeply nested JSON objects. An attacker can cause application downtime or resource exhaustion by submitting a specially crafted JWT with excessive nesting.

Note:

This issue only affects nimbus-jose-jwt, not Gson because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

PoC

import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;

public class Test {
    // This builds a claimset with a deeply nested map, which could theoretically be supplied by a client.
    // If the JWT is serialized into JSON (for example, in logging or debugging), it can cause a StackOverflowError.
    public static void main(String[] args) throws ParseException {        
        Map<String, Object> nestedMap = new HashMap<>();
        Map<String, Object> currentLevel = nestedMap;

        for (int i = 0; i < 5000; i++) {
            Map<String, Object> nextLevel = new HashMap<>();
            currentLevel.put("", nextLevel);
            currentLevel = nextLevel;
        }

        JWTClaimsSet claimSet = JWTClaimsSet.parse(nestedMap);

        // This will cause a StackOverflowError due to excessive recursion in GSON's serialization
        claimSet.toString();
    }
}

Remediation

Upgrade com.nimbusds:nimbus-jose-jwt to version 10.0.2 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-classic
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@3.5.6, org.springframework.boot:spring-boot-starter-validation@3.5.6 and others

Detailed paths

  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.boot:spring-boot-starter-actuator@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.boot:spring-boot-starter-validation@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.boot:spring-boot-starter-web@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-actuator@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-actuator@1.2.1 org.springframework.boot:spring-boot-starter-actuator@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-resilience4j@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-client@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-memory@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.boot:spring-boot-starter-web@3.5.6 org.springframework.boot:spring-boot-starter-json@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.cloud:spring-cloud-starter-openfeign@5.0.0-M2 org.springframework.cloud:spring-cloud-starter@5.0.0-M2 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-observation@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-embedding-observation@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-image-observation@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-tool@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-retry@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.13 org.springdoc:springdoc-openapi-starter-webmvc-api@2.8.13 org.springdoc:springdoc-openapi-starter-common@2.8.13 org.springframework.boot:spring-boot-starter-validation@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-core
  • Introduced through: org.springframework.boot:spring-boot-starter-actuator@3.5.6, org.springframework.boot:spring-boot-starter-validation@3.5.6 and others

Detailed paths

  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.boot:spring-boot-starter-actuator@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.boot:spring-boot-starter-validation@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.boot:spring-boot-starter-web@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-actuator@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-actuator@1.2.1 org.springframework.boot:spring-boot-starter-actuator@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 io.github.springboot-addons:spring-boot-starter-httpclient5-resilience4j@1.2.1 io.github.springboot-addons:spring-boot-starter-httpclient5@1.2.1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-client@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-memory@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.boot:spring-boot-starter-web@3.5.6 org.springframework.boot:spring-boot-starter-json@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.cloud:spring-cloud-starter-openfeign@5.0.0-M2 org.springframework.cloud:spring-cloud-starter@5.0.0-M2 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-observation@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-embedding-observation@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-image-observation@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-tool@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-retry@1.1.0-M1 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.13 org.springdoc:springdoc-openapi-starter-webmvc-api@2.8.13 org.springdoc:springdoc-openapi-starter-common@2.8.13 org.springframework.boot:spring-boot-starter-validation@3.5.6 org.springframework.boot:spring-boot-starter@3.5.6 org.springframework.boot:spring-boot-starter-logging@3.5.6 ch.qos.logback:logback-classic@1.5.18 ch.qos.logback:logback-core@1.5.18

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

EPL-1.0 license

  • Module: junit:junit
  • Introduced through: org.springframework.ai:spring-ai-rag@1.1.0-M1 and org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1

Detailed paths

  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-rag@1.1.0-M1 org.springframework.ai:spring-ai-client-chat@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-openai@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-rag@1.1.0-M1 org.springframework.ai:spring-ai-vector-store@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-memory@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-client@1.1.0-M1 org.springframework.ai:spring-ai-client-chat@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-embedding-observation@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-image-observation@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-tool@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-openai@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-observation@1.1.0-M1 org.springframework.ai:spring-ai-client-chat@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13

EPL-1.0 license

EPL-1.0 license vulnerability report

low severity

Information Exposure

  • Vulnerable module: junit:junit
  • Introduced through: org.springframework.ai:spring-ai-rag@1.1.0-M1 and org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1

Detailed paths

  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-rag@1.1.0-M1 org.springframework.ai:spring-ai-client-chat@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-openai@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-rag@1.1.0-M1 org.springframework.ai:spring-ai-vector-store@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-memory@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-client@1.1.0-M1 org.springframework.ai:spring-ai-client-chat@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-embedding-observation@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-image-observation@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-tool@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-openai@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13
  • Introduced through: pacphi/mattermost-ai-service@pacphi/mattermost-ai-service#566e217fbee24cdd72f13bf63d336f046ac9b274 org.springframework.ai:spring-ai-starter-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-openai@1.1.0-M1 org.springframework.ai:spring-ai-autoconfigure-model-chat-observation@1.1.0-M1 org.springframework.ai:spring-ai-client-chat@1.1.0-M1 org.springframework.ai:spring-ai-model@1.1.0-M1 org.springframework.ai:spring-ai-template-st@1.1.0-M1 org.antlr:ST4@4.3.4 org.antlr:antlr-runtime@3.5.3 junit:junit@4.13

Overview

junit:junit is an unit testing framework for Java

Affected versions of this package are vulnerable to Information Exposure. The JUnit4 test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.

Note: This vulnerability does not allow other users to overwrite the contents of these directories or files. This only affects Unix like systems.

Remediation

Upgrade junit:junit to version 4.13.1 or higher.

References

Information Exposure vulnerability report