Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: org.springframework:spring-beans
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-tx@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2 › org.springframework:spring-aop@6.2.2 › org.springframework:spring-beans@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.9.
Overview
org.springframework:spring-beans is a package that is the basis for Spring Framework's IoC container. The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.
Affected versions of this package are vulnerable to Relative Path Traversal when deployed on non-compliant Servlet containers. An unauthenticated attacker could gain access to files and directories outside the intended web root.
Notes:
This is only exploitable if the application is deployed as a WAR or with an embedded Servlet container, the Servlet container does not reject suspicious sequences and the application serves static resources with Spring resource handling.
Applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration.
This vulnerability was also fixed in the commercial versions 6.1.22 and 5.3.44.
Remediation
Upgrade org.springframework:spring-beans to version 6.2.10 or higher.
References
medium severity
- Module: ch.qos.logback:logback-classic
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-starter-logging@3.4.2 › ch.qos.logback:logback-classic@1.5.16
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: ch.qos.logback:logback-core
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-starter-logging@3.4.2 › ch.qos.logback:logback-classic@1.5.16 › ch.qos.logback:logback-core@1.5.16
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: com.mchange:c3p0
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:c3p0@0.9.5.4
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: com.mchange:mchange-commons-java
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:mchange-commons-java@0.2.15
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.quartz-scheduler:quartz@2.3.2 › com.mchange:c3p0@0.9.5.4 › com.mchange:mchange-commons-java@0.2.15
Dual license: EPL-1.0, LGPL-2.1
low severity
- Vulnerable module: org.springframework:spring-context
- Introduced through: org.springframework.boot:spring-boot-starter-quartz@3.4.2
Detailed paths
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework:spring-context-support@6.2.2 › org.springframework:spring-context@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.6.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.6.
-
Introduced through: sebastienvermeille/rika2mqtt@sebastienvermeille/rika2mqtt#e8ecda94be94d33514aff305cf55d42265a90fc4 › org.springframework.boot:spring-boot-starter-quartz@3.4.2 › org.springframework.boot:spring-boot-starter@3.4.2 › org.springframework.boot:spring-boot-autoconfigure@3.4.2 › org.springframework.boot:spring-boot@3.4.2 › org.springframework:spring-context@6.2.2Remediation: Upgrade to org.springframework.boot:spring-boot-starter-quartz@3.4.6.
Overview
Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to an incomplete fix for CVE-2024-38820, where it is still possible to bypass the disallowedFields checks.
Note:
This vulnerability was also fixed in commercial versions 6.0.28 and 5.3.43.
Remediation
Upgrade org.springframework:spring-context to version 6.1.20, 6.2.7 or higher.