Vulnerabilities	1 via 4 paths
Dependencies	105
Source	GitHub
Commit	41f8aa6f

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications

Issue type

Vulnerabilities
1
License issues
3

Severity

Critical
1
High
Medium
3
Low

Status

Open
4
Patched
0
Ignored
0

critical severity

new

Authentication Bypass by Primary Weakness

Vulnerable module: org.springframework.security:spring-security-crypto
Introduced through: org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1

Detailed paths

Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.cloud:spring-cloud-commons@4.2.1 › org.springframework.security:spring-security-crypto@6.4.3
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.cloud:spring-cloud-context@4.2.1 › org.springframework.security:spring-security-crypto@6.4.3
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.cloud:spring-cloud-commons@4.2.1 › org.springframework.security:spring-security-crypto@6.4.3
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.cloud:spring-cloud-context@4.2.1 › org.springframework.security:spring-security-crypto@6.4.3

…and 1 more

Overview

org.springframework.security:spring-security-crypto is a spring-security-crypto library for Spring Security.

Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness in the BCryptPasswordEncoder.matches() function, which only takes the first 72 characters for comparison. Passwords longer than this will incorrectly return true when compared against other strings sharing the same first 72 characters, making them easier to brute force.

Note: Patches have also been issued for older versions of Enterprise Support packages.

Remediation

Upgrade org.springframework.security:spring-security-crypto to version 6.3.8, 6.4.4 or higher.

References

Authentication Bypass by Primary Weakness vulnerability report

medium severity

new

Dual license: EPL-1.0, LGPL-2.1

Module: ch.qos.logback:logback-classic
Introduced through: org.springframework.boot:spring-boot-starter-actuator@3.4.4, org.springframework.boot:spring-boot-starter-mail@3.4.4 and others

Detailed paths

Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-actuator@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-mail@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-web@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-test@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-web@3.4.4 › org.springframework.boot:spring-boot-starter-json@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18

…and 4 more

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

new

Dual license: EPL-1.0, LGPL-2.1

Module: ch.qos.logback:logback-core
Introduced through: org.springframework.boot:spring-boot-starter-actuator@3.4.4, org.springframework.boot:spring-boot-starter-mail@3.4.4 and others

Detailed paths

Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-actuator@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-mail@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-web@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-test@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-web@3.4.4 › org.springframework.boot:spring-boot-starter-json@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › ch.qos.logback:logback-classic@1.5.18 › ch.qos.logback:logback-core@1.5.18

…and 4 more

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

new

EPL-1.0 license

Module: junit:junit
Introduced through: org.apache.logging.log4j:log4j-core@2.17.1, org.springframework.boot:spring-boot-starter-actuator@3.4.4 and others

Detailed paths

Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.apache.logging.log4j:log4j-core@2.17.1 › org.junit.vintage:junit-vintage-engine@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.apache.logging.log4j:log4j-core@2.17.1 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.jupiter:junit-jupiter-migrationsupport@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.apache.logging.log4j:log4j-core@2.17.1 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.vintage:junit-vintage-engine@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-actuator@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.jupiter:junit-jupiter-migrationsupport@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-mail@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.jupiter:junit-jupiter-migrationsupport@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-web@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.jupiter:junit-jupiter-migrationsupport@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-test@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.jupiter:junit-jupiter-migrationsupport@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-actuator@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.vintage:junit-vintage-engine@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-mail@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.vintage:junit-vintage-engine@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-web@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.vintage:junit-vintage-engine@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-test@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.vintage:junit-vintage-engine@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-web@3.4.4 › org.springframework.boot:spring-boot-starter-json@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.jupiter:junit-jupiter-migrationsupport@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.jupiter:junit-jupiter-migrationsupport@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.boot:spring-boot-starter-web@3.4.4 › org.springframework.boot:spring-boot-starter-json@3.4.4 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.vintage:junit-vintage-engine@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.vintage:junit-vintage-engine@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.jupiter:junit-jupiter-migrationsupport@5.7.2 › junit:junit@4.13.2
Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api#41f8aa6fd67ae3fa1c911e4d4671b96cb2437076 › org.springframework.cloud:spring-cloud-starter-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-vault-config@4.2.1 › org.springframework.cloud:spring-cloud-starter@4.2.1 › org.springframework.boot:spring-boot-starter@3.4.4 › org.springframework.boot:spring-boot-starter-logging@3.4.4 › org.apache.logging.log4j:log4j-to-slf4j@2.24.3 › org.apache.logging.log4j:log4j-api@2.17.1 › org.junit.vintage:junit-vintage-engine@5.7.2 › junit:junit@4.13.2

…and 14 more

EPL-1.0 license

EPL-1.0 license vulnerability report

uhawaii-system-its-ti-iam/uh-groupings-api

Vulnerabilities

Dependencies

Source

Commit

Find, fix and prevent vulnerabilities in your code.

critical severity new

Authentication Bypass by Primary Weakness

Detailed paths

Overview

Remediation

References

medium severity new

Dual license: EPL-1.0, LGPL-2.1

Detailed paths

medium severity new

Dual license: EPL-1.0, LGPL-2.1

Detailed paths

medium severity new

EPL-1.0 license

Detailed paths

critical severity

new

medium severity

new

medium severity

new

medium severity

new