Vulnerabilities

 7 via 25 paths

Dependencies

 89

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 7
  • 1
Severity
  • 1
  • 1
  • 6
Status
  • 8
  • 0
  • 0

critical severity
new

Improper Authentication

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1

Detailed paths

  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as the system will incorrectly authenticate the user.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Authentication vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1

Detailed paths

  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV LOCK and PROPFIND XML request bodies. An attacker can cause excessive resource consumption by sending specially crafted requests that trigger unbounded reads.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity
new

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1

Detailed paths

  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the processing of HTTP/2 request headers. An attacker can cause unexpected behavior or potentially compromise the application by sending specially crafted HTTP/2 request headers.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity
new

Exposure of Private Personal Information to an Unauthorized Actor

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-websocket
  • Introduced through: org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1

Detailed paths

  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21

Overview

Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in WebSocket client during authentication. An attacker can obtain sensitive HTTP authentication headers by initiating a WebSocket handshake with a malicious host.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-websocket to version 8.0.1, 9.0.0.M1, 9.0.118, 10.1.55, 11.0.22 or higher.

References

Exposure of Private Personal Information to an Unauthorized Actor vulnerability report

medium severity
new

Timing Attack

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1

Detailed paths

  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret is correct by sending many authentication attempts directly to the connector and measuring the time taken to compare secrets.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Timing Attack vulnerability report

medium severity
new

Improper Authorization

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1

Detailed paths

  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authorization in the processing of security constraints when multiple method constraints define an HTTP method for the same extension. An attacker can gain unauthorized access to protected resources by crafting requests that exploit the improper application of these constraints.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Authorization vulnerability report

medium severity
new

Improper Handling of Case Sensitivity

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1

Detailed paths

  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-websocket@11.0.21 org.apache.tomcat.embed:tomcat-embed-core@11.0.21
  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe org.springframework.boot:spring-boot-starter-webmvc@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat@4.1.0-RC1 org.springframework.boot:spring-boot-starter-tomcat-runtime@4.1.0-RC1 org.springframework.boot:spring-boot-tomcat@4.1.0-RC1 org.apache.tomcat.embed:tomcat-embed-core@11.0.21

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the LockOutRealm function. An attacker can bypass account lockout protections by submitting usernames with different letter casing.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

medium severity

Dual license: EPL-1.0, MPL-2.0

  • Module: com.h2database:h2
  • Introduced through: com.h2database:h2@2.4.240

Detailed paths

  • Introduced through: randomvlad/TicTacToe@randomvlad/TicTacToe com.h2database:h2@2.4.240

Dual license: EPL-1.0, MPL-2.0

Dual license: EPL-1.0, MPL-2.0 vulnerability report