Find, fix and prevent vulnerabilities in your code.
critical severity
- Vulnerable module: org.postgresql:postgresql
- Introduced through: org.postgresql:postgresql@42.5.3
Detailed paths
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.postgresql:postgresql@42.5.3Remediation: Upgrade to org.postgresql:postgresql@42.5.5.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to SQL Injection when using PreferQueryMode=SIMPLE, which is not the default setting. By passing in a numeric value placeholder immediately preceded by a minus and followed by a second placeholder for a string value, on the same line, an attacker can construct a payload that alters the parameterized query into which it is interpolated. This effectively bypasses the protections against SQL Injection that parameterized queries offer.
Remediation
Upgrade org.postgresql:postgresql to version 42.2.28.jre7, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2 or higher.
References
high severity
- Vulnerable module: com.fasterxml.jackson.core:jackson-core
- Introduced through: com.fasterxml.jackson.core:jackson-core@2.14.0 and org.flywaydb:flyway-core@9.14.1
Detailed paths
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › com.fasterxml.jackson.core:jackson-core@2.14.0Remediation: Upgrade to com.fasterxml.jackson.core:jackson-core@2.15.0.
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.flywaydb:flyway-core@9.14.1 › com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.14.0 › com.fasterxml.jackson.core:jackson-databind@2.14.0 › com.fasterxml.jackson.core:jackson-core@2.14.0Remediation: Upgrade to org.flywaydb:flyway-core@9.19.0.
Overview
com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation
Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing input size validation when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values, causing the application to exhaust all available resources.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade com.fasterxml.jackson.core:jackson-core to version 2.15.0-rc1 or higher.
References
high severity
- Vulnerable module: com.fasterxml.jackson.core:jackson-core
- Introduced through: com.fasterxml.jackson.core:jackson-core@2.14.0 and org.flywaydb:flyway-core@9.14.1
Detailed paths
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › com.fasterxml.jackson.core:jackson-core@2.14.0Remediation: Upgrade to com.fasterxml.jackson.core:jackson-core@2.15.0.
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.flywaydb:flyway-core@9.14.1 › com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.14.0 › com.fasterxml.jackson.core:jackson-databind@2.14.0 › com.fasterxml.jackson.core:jackson-core@2.14.0Remediation: Upgrade to org.flywaydb:flyway-core@9.19.0.
Overview
com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation
Affected versions of this package are vulnerable to Stack-based Buffer Overflow due to the parse process, which accepts an unlimited input file with deeply nested data. An attacker can cause a stack overflow and crash the application by providing input files with excessively deep nesting.
Remediation
Upgrade com.fasterxml.jackson.core:jackson-core to version 2.15.0-rc1 or higher.
References
high severity
- Vulnerable module: com.fasterxml.jackson.dataformat:jackson-dataformat-toml
- Introduced through: org.flywaydb:flyway-core@9.14.1
Detailed paths
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.flywaydb:flyway-core@9.14.1 › com.fasterxml.jackson.dataformat:jackson-dataformat-toml@2.14.0Remediation: Upgrade to org.flywaydb:flyway-core@9.19.0.
Overview
Affected versions of this package are vulnerable to Improper Input Validation when parsing maliciously crafted TOML data due to improper validation of nesting depth. This vulnerability is exploitable when the parser is running on user-supplied input and might cause the parser to crash by Stackoverflow.
Remediation
Upgrade com.fasterxml.jackson.dataformat:jackson-dataformat-toml to version 2.15.0 or higher.
References
medium severity
new
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: org.mybatis.spring.boot:mybatis-spring-boot-starter@3.0.2, org.springframework.boot:spring-boot-starter-data-jdbc@4.0.0-M3 and others
Detailed paths
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.mybatis.spring.boot:mybatis-spring-boot-starter@3.0.2 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-data-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-oauth2-resource-server@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-validation@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.mybatis.spring.boot:mybatis-spring-boot-starter@3.0.2 › org.springframework.boot:spring-boot-starter-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-data-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-oauth2-resource-server@4.0.0-M3 › org.springframework.boot:spring-boot-starter-security@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-web@4.0.0-M3 › org.springframework.boot:spring-boot-starter-jackson@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-web@4.0.0-M3 › org.springframework.boot:spring-boot-starter-tomcat@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the logback.xml configuration file when both the Janino library and Spring Framework are present on the class path. An attacker can execute arbitrary code by compromising an existing configuration file or injecting a malicious environment variable before program execution. This is only exploitable if the attacker has write access to a configuration file or can set a malicious environment variable.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.5.19 or higher.
References
medium severity
- Module: ch.qos.logback:logback-classic
- Introduced through: org.mybatis.spring.boot:mybatis-spring-boot-starter@3.0.2, org.springframework.boot:spring-boot-starter-data-jdbc@4.0.0-M3 and others
Detailed paths
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.mybatis.spring.boot:mybatis-spring-boot-starter@3.0.2 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-data-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-oauth2-resource-server@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-validation@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.mybatis.spring.boot:mybatis-spring-boot-starter@3.0.2 › org.springframework.boot:spring-boot-starter-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-data-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-oauth2-resource-server@4.0.0-M3 › org.springframework.boot:spring-boot-starter-security@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-web@4.0.0-M3 › org.springframework.boot:spring-boot-starter-jackson@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-web@4.0.0-M3 › org.springframework.boot:spring-boot-starter-tomcat@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: ch.qos.logback:logback-core
- Introduced through: org.mybatis.spring.boot:mybatis-spring-boot-starter@3.0.2, org.springframework.boot:spring-boot-starter-data-jdbc@4.0.0-M3 and others
Detailed paths
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.mybatis.spring.boot:mybatis-spring-boot-starter@3.0.2 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-data-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-oauth2-resource-server@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-validation@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.mybatis.spring.boot:mybatis-spring-boot-starter@3.0.2 › org.springframework.boot:spring-boot-starter-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-data-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter-jdbc@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-oauth2-resource-server@4.0.0-M3 › org.springframework.boot:spring-boot-starter-security@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-web@4.0.0-M3 › org.springframework.boot:spring-boot-starter-jackson@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
-
Introduced through: simple-time-tracker/time-tracker-api@simple-time-tracker/time-tracker-api#79943b6436667c4de062605ecac8eb7cfcfa6e1f › org.springframework.boot:spring-boot-starter-web@4.0.0-M3 › org.springframework.boot:spring-boot-starter-tomcat@4.0.0-M3 › org.springframework.boot:spring-boot-starter@4.0.0-M3 › org.springframework.boot:spring-boot-starter-logging@4.0.0-M3 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
Dual license: EPL-1.0, LGPL-2.1