Vulnerabilities |
24 via 126 paths |
|---|---|
Dependencies |
43 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
critical severity
- Vulnerable module: org.springframework.boot:spring-boot-autoconfigure
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
Overview
Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to establishing SSL connections to Cassandra without verifying that the hostname in the server's SSL certificate actually matched the hostname of the server being connected to. While the application might have verified that the certificate was signed by a trusted Certificate Authority (CA), failing to verify the hostname means an attacker could present any valid certificate (even one meant for a different domain) to successfully intercept the connection, leaving the application vulnerable to Man-in-the-Middle (MitM) attacks.
Remediation
Upgrade org.springframework.boot:spring-boot-autoconfigure to version 3.5.14, 4.0.6 or higher.
References
critical severity
- Vulnerable module: org.springframework.boot:spring-boot-autoconfigure
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
Overview
Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch when using an SSL bundle. This effectively weakens TLS by allowing connections without verifying the server identity (classic MITM risk).
Remediation
Upgrade org.springframework.boot:spring-boot-autoconfigure to version 3.5.14, 4.0.6 or higher.
References
high severity
- Vulnerable module: com.mchange:c3p0
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:c3p0@0.9.5.4
Overview
com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the userOverridesAsString property of ConnectionPoolDataSource class. An attacker can achieve arbitrary code execution by supplying maliciously crafted serialized objects or javax.naming.Reference instances that trigger unsafe deserialization and remote code loading.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade com.mchange:c3p0 to version 0.12.0 or higher.
References
high severity
- Vulnerable module: com.mchange:mchange-commons-java
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:mchange-commons-java@0.2.15Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@4.0.0.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:c3p0@0.9.5.4 › com.mchange:mchange-commons-java@0.2.15
Overview
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the factoryClassLocation function. An attacker can achieve arbitrary code execution by provoking the application to read a maliciously crafted javax.naming.Reference or serialized object, resulting in the download and execution of malicious code.
Remediation
Upgrade com.mchange:mchange-commons-java to version 0.4.0 or higher.
References
high severity
- Vulnerable module: org.springframework:spring-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.10.
Overview
org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.
Affected versions of this package are vulnerable to Incorrect Authorization via the AnnotationsScanner and AnnotatedMethod class. An attacker can gain unauthorized access to sensitive information by exploiting improper resolution of annotations on methods within type hierarchies that use parameterized supertypes with unbounded generics.
Note:
This is only exploitable if security annotations are used on methods in generic superclasses or generic interfaces and the @EnableMethodSecurity feature is enabled.
Remediation
Upgrade org.springframework:spring-core to version 6.2.11 or higher.
References
high severity
new
- Vulnerable module: org.springframework:spring-expression
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
Overview
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via evaluation of user-controlled Spring Expression Language (SpEL) expressions. An attacker can cause denial of service by supplying specially crafted SpEL expressions that trigger excessive CPU or memory consumption during expression evaluation, leading to application degradation or unavailability.
Remediation
Upgrade org.springframework:spring-expression to version 6.0.0, 6.2.19, 7.0.8 or higher.
References
high severity
- Vulnerable module: org.springframework:spring-beans
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
Overview
org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.
Affected versions of this package are vulnerable to Relative Path Traversal when deployed on non-compliant Servlet containers. An unauthenticated attacker could gain access to files and directories outside the intended web root.
Notes:
This is only exploitable if the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences and the application serves static resources with Spring resource handling.
Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.
This vulnerability was also fixed in the commercial versions 6.1.22 and 5.3.44.
Remediation
Upgrade org.springframework:spring-beans to version 6.2.10 or higher.
References
high severity
new
- Vulnerable module: org.springframework:spring-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
Overview
org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via caching of parsed Spring Expression Language (SpEL) expressions. An attacker can cause denial of service by supplying crafted user-controlled SpEL expressions that trigger unbounded growth of the expression cache. Over time, repeated evaluations can consume excessive memory, eventually leading to memory exhaustion and application unavailability.
Note: Exploitation typically requires a large number of expression evaluations, potentially millions of requests, even when reusing a single expression with dynamic inputs.
Remediation
Upgrade org.springframework:spring-core to version 6.0.0, 6.2.19, 7.0.8 or higher.
References
high severity
- Vulnerable module: org.springframework.boot:spring-boot
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
Overview
Affected versions of this package are vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) for the property source for ${random.value} (as well as ${random.int} and ${random.long}). Standard PRNGs (like java.util.Random) use deterministic mathematical algorithms starting from a seed value. Because the state space is relatively small and lacks ongoing entropy (true randomness), an attacker who observes a sequence of generated values can mathematically reverse-engineer the seed. Once the seed is known, the attacker can predict all past and future values generated by that PRNG. If these values are used to generate security-sensitive assets like API keys, session tokens, or passwords, the system becomes compromised.
Remediation
Upgrade org.springframework.boot:spring-boot to version 3.5.14, 4.0.6 or higher.
References
high severity
new
- Vulnerable module: com.mchange:mchange-commons-java
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:mchange-commons-java@0.2.15Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@4.0.0.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:c3p0@0.9.5.4 › com.mchange:mchange-commons-java@0.2.15
Overview
Affected versions of this package are vulnerable to Deserialization of Untrusted Data via unsafe JavaBean materialization in com.mchange.v2.naming.JavaBeanObjectFactory. An attacker can trigger arbitrary class construction and property initialization by supplying a malicious JNDI Reference whose class name and bean properties are resolved by the factory. This lets an attacker instantiate unsafe JavaBeans and drive attacker-controlled initialization side effects from within the application’s lookup path. In affected deployments, that can lead to unexpected network access or other malicious behavior when the application dereferences untrusted JNDI data.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade com.mchange:mchange-commons-java to version 0.6.0 or higher.
References
high severity
- Vulnerable module: org.springframework.boot:spring-boot
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
Overview
Affected versions of this package are vulnerable to Insecure Temporary File due to the ApplicationTemp mechanism creating a temporary directory using a predictable name. Because the name can be easily guessed, a local attacker on the same server can maliciously pre-create this directory before the Spring Boot application starts. When the application launches, it would blindly use the existing directory without verifying if it is actually owned by the application's user or the attacker.
Remediation
Upgrade org.springframework.boot:spring-boot to version 3.5.14, 4.0.6 or higher.
References
high severity
new
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-starter-logging@3.4.2 › ch.qos.logback:logback-classic@1.5.16 › ch.qos.logback:logback-core@1.5.16
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to Expression Injection in the Janino-evaluated condition attribute of <if> configuration elements, handled by IfModelHandler, whose denylist blocked only the literal new operator. A user who can modify the logback configuration can execute arbitrary code by writing an <if> condition that evades that denylist, either through references it did not cover such as Runtime or springframework, or through Unicode escape sequences like \u that reconstruct the blocked new operator. Exploitation requires write access to the logback configuration and the use of conditional <if> processing with Janino present on the classpath.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.5.36 or higher.
References
medium severity
- Vulnerable module: org.springframework:spring-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
Overview
org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via static resource resolution. An attacker can cause denial of service by sending crafted requests that are slow to resolve when accessing file-system-backed static resources, causing HTTP connections to remain occupied and exhausting server resources.
Note: This is only exploitable if all the following are true:
The application uses Spring MVC or Spring WebFlux.
Static resources are served from the file system.
The application is running on Windows.
Remediation
Upgrade org.springframework:spring-core to version 6.2.18, 7.0.7 or higher.
References
medium severity
new
- Vulnerable module: org.springframework:spring-expression
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
Overview
Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via Spring Expression Language (SpEL) method invocation handling. An attacker can invoke arbitrary zero-argument methods by supplying crafted SpEL expressions, even in contexts intended to restrict method execution or provide read-only access. This may allow execution of unintended application logic and access to functionality that should not be exposed through expression evaluation.
Note: This is only exploitable if the application accepts and evaluates untrusted or user-controlled SpEL expressions.
Remediation
Upgrade org.springframework:spring-expression to version 6.0.0, 6.2.19, 7.0.8 or higher.
References
medium severity
new
- Vulnerable module: ch.qos.logback:logback-classic
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-starter-logging@3.4.2 › ch.qos.logback:logback-classic@1.5.16Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
Overview
ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data in HardenedObjectInputStream, whose resolveClass allowlist admitted any class whose name starts with java.lang or java.util rather than matching specific authorized classes. An attacker can instantiate dangerous classes such as java.lang.ProcessBuilder during deserialization, reaching remote code execution through a gadget chain, by delivering a malicious serialized object to a logback component that deserializes it, such as its socket receiver for serialized logging events (SocketNode). Exploitation requires the application to deserialize attacker-controlled serialized data through logback, in practice via its socket-based receiver, together with a usable gadget class on the classpath.
Workaround
This vulnerability can be avoided by not exposing logback's socket-based serialized receivers, such as SocketReceiver and ServerSocketReceiver, to untrusted networks, which removes the path by which attacker-controlled serialized objects reach the deserialization filter.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade ch.qos.logback:logback-classic to version 1.5.33 or higher.
References
medium severity
new
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-starter-logging@3.4.2 › ch.qos.logback:logback-classic@1.5.16 › ch.qos.logback:logback-core@1.5.16Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data in HardenedObjectInputStream, whose resolveClass allowlist admitted any class whose name starts with java.lang or java.util rather than matching specific authorized classes. An attacker can instantiate dangerous classes such as java.lang.ProcessBuilder during deserialization, reaching remote code execution through a gadget chain, by delivering a malicious serialized object to a logback component that deserializes it, such as its socket receiver for serialized logging events (SocketNode). Exploitation requires the application to deserialize attacker-controlled serialized data through logback, in practice via its socket-based receiver, together with a usable gadget class on the classpath.
Workaround
This vulnerability can be avoided by not exposing logback's socket-based serialized receivers, such as SocketReceiver and ServerSocketReceiver, to untrusted networks, which removes the path by which attacker-controlled serialized objects reach the deserialization filter.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.5.33 or higher.
References
medium severity
new
- Vulnerable module: com.mchange:c3p0
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:c3p0@0.9.5.4
Overview
com.mchange:c3p0 is a mature, highly concurrent JDBC Connection pooling library, with support for caching and reuse of PreparedStatements.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the deserialization process. An attacker can execute arbitrary code by delivering a crafted serialized object that, when deserialized, triggers automatic property resolution and invokes vulnerable JDBC driver methods. This is only exploitable if all of the following conditions are met: a vulnerable version is present on the application classpath, a susceptible JDBC driver is available, a carrier library such as Apache Commons BeanUtils is used to auto-read JavaBean properties during deserialization, and there is a deserialization entry point that processes attacker-controlled data.
Workaround
This vulnerability can be mitigated by running applications on Java 16 or later, removing Apache Commons BeanUtils from the classpath if not required, or ensuring the application does not deserialize untrusted input from network sources.
Details
Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.
Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.
Remediation
Upgrade com.mchange:c3p0 to version 0.14.0 or higher.
References
medium severity
new
- Vulnerable module: org.springframework:spring-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-expression@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2 › org.springframework:spring-core@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
Overview
org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via pattern processing in AntPathMatcher. An attacker can cause denial of service by supplying a crafted regular expression pattern to methods such as match(), matchStart(), or extractUriTemplateVariables(), triggering excessive backtracking and CPU consumption during pattern evaluation.
Note: This is only exploitable if attacker-controlled input is used directly or indirectly as the pattern argument to one of the affected AntPathMatcher methods.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.
Let’s take the following regular expression as an example:
regex = /A(B|C+)+D/
This regular expression accomplishes the following:
AThe string must start with the letter 'A'(B|C+)+The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the+matches one or more times). The+at the end of this section states that we can look for one or more matches of this section.DFinally, we ensure this section of the string ends with a 'D'
The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD
It most cases, it doesn't take very long for a regex engine to find a match:
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total
The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.
Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.
Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:
- CCC
- CC+C
- C+CC
- C+C+C.
The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.
From there, the number of steps the engine must use to validate a string just continues to grow.
| String | Number of C's | Number of steps |
|---|---|---|
| ACCCX | 3 | 38 |
| ACCCCX | 4 | 71 |
| ACCCCCX | 5 | 136 |
| ACCCCCCCCCCCCCCX | 14 | 65,553 |
By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.
Remediation
Upgrade org.springframework:spring-core to version 6.0.0, 6.2.19, 7.0.8 or higher.
References
medium severity
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-starter-logging@3.4.2 › ch.qos.logback:logback-classic@1.5.16 › ch.qos.logback:logback-core@1.5.16Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.11.
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the logback.xml configuration file when both the Janino library and Spring Framework are present on the class path. An attacker can execute arbitrary code by compromising an existing configuration file or injecting a malicious environment variable before program execution. This is only exploitable if the attacker has write access to a configuration file or can set a malicious environment variable.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.3.16, 1.5.19 or higher.
References
medium severity
- Vulnerable module: org.springframework.boot:spring-boot
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.14.
Overview
Affected versions of this package are vulnerable to Symlink Attack due to insecure handling of Process ID (PID) files. When an application uses the ApplicationPidFileWriter, it writes its PID to a predictable file system path. A local attacker with write access to the PID file's directory can create a symbolic link (symlink) at that path. When the Spring Boot application starts, it follows this symlink and overwrites the target file with its PID. This allows the attacker to corrupt or "clobber" sensitive system files, potentially leading to a denial of service or system instability.
Remediation
Upgrade org.springframework.boot:spring-boot to version 3.5.14, 4.0.6 or higher.
References
medium severity
new
- Vulnerable module: org.springframework.boot:spring-boot-autoconfigure
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
Overview
Affected versions of this package are vulnerable to Insecure Temporary File via the default data directory configuration in ArtemisEmbeddedConfigurationFactory. A local attacker can tamper with or redirect the embedded Artemis broker's data storage by pre-creating the predictable data directory or replacing it with a symlink before the application starts. This may allow unauthorized access to message data, injection of malicious messages, or further compromise through processing of attacker-controlled broker data.
Note: This is only exploitable by an attacker with local access to the host system before the application initializes the embedded broker.
Remediation
Upgrade org.springframework.boot:spring-boot-autoconfigure to version 3.5.15, 4.0.7, 4.1.0 or higher.
References
medium severity
- Module: ch.qos.logback:logback-classic
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-starter-logging@3.4.2 › ch.qos.logback:logback-classic@1.5.16
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: ch.qos.logback:logback-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-starter-logging@3.4.2 › ch.qos.logback:logback-classic@1.5.16 › ch.qos.logback:logback-core@1.5.16
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: com.mchange:c3p0
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:c3p0@0.9.5.4
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: com.mchange:mchange-commons-java
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:mchange-commons-java@0.2.15
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:c3p0@0.9.5.4 › com.mchange:mchange-commons-java@0.2.15
Dual license: EPL-1.0, LGPL-2.1
low severity
- Vulnerable module: org.springframework:spring-context
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.6.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.6.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.6.
Overview
Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to an incomplete fix for CVE-2024-38820, where it is still possible to bypass the disallowedFields checks.
Note:
This vulnerability was also fixed in commercial versions 6.0.28 and 5.3.43.
Remediation
Upgrade org.springframework:spring-context to version 6.1.20, 6.2.7 or higher.
References
low severity
new
- Vulnerable module: org.springframework.boot:spring-boot-autoconfigure
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.15.
Overview
Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch via missing hostname verification in the auto-configuration. An attacker can impersonate a trusted mail server and intercept or manipulate SMTP communications because hostname verification is not enabled by default when establishing TLS-protected mail connections.
Note: Applications that explicitly enable hostname verification, for example by setting spring.mail.properties.mail.smtp.ssl.checkserveridentity=true, are not affected.
Remediation
Upgrade org.springframework.boot:spring-boot-autoconfigure to version 3.5.15, 4.0.7 or higher.
References
low severity
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-starter-logging@3.4.2 › ch.qos.logback:logback-classic@1.5.16 › ch.qos.logback:logback-core@1.5.16Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.5.10.
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores during the configuration file processing. An attacker can instantiate arbitrary classes already present on the class path by compromising an existing configuration file.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.5.25 or higher.