Vulnerabilities

 15 via 24 paths

Dependencies

 116

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 7
  • 7
Status
  • 15
  • 0
  • 0

critical severity
new

Improper Authentication

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.5.14

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.
  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.54 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as the system will incorrectly authenticate the user.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Authentication vulnerability report

high severity

Uncontrolled Recursion

  • Vulnerable module: org.apache.commons:commons-lang3
  • Introduced through: org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.16

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.16 org.springdoc:springdoc-openapi-starter-webmvc-api@2.8.16 org.springdoc:springdoc-openapi-starter-common@2.8.16 io.swagger.core.v3:swagger-core-jakarta@2.2.43 org.apache.commons:commons-lang3@3.17.0
    Remediation: Upgrade to org.springdoc:springdoc-openapi-starter-webmvc-ui@2.8.16.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

Uncontrolled Recursion vulnerability report

high severity
new

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.5.14

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.
  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.54 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV LOCK and PROPFIND XML request bodies. An attacker can cause excessive resource consumption by sending specially crafted requests that trigger unbounded reads.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Use of a Broken or Risky Cryptographic Algorithm

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.springframework.cloud:spring-cloud-starter-vault-config@4.3.0

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.cloud:spring-cloud-starter-vault-config@4.3.0 org.springframework.cloud:spring-cloud-starter@4.3.0 org.bouncycastle:bcprov-jdk18on@1.80
  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.cloud:spring-cloud-starter-vault-config@4.3.0 org.springframework.cloud:spring-cloud-vault-config@4.3.0 org.springframework.cloud:spring-cloud-starter@4.3.0 org.bouncycastle:bcprov-jdk18on@1.80

Overview

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to the generateCTR process in G3413CTRBlockCipher. An attacker can recover relationships between encrypted plaintext blocks by driving the cipher past its counter range and causing the counter to wrap, which makes the stream repeat and produces identical ciphertext for different blocks. This breaks the confidentiality of data protected with G3413CTRBlockCipher and can expose plaintext patterns or allow plaintext recovery when the same key and IV are reused across enough blocks.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.84 or higher.

References

Use of a Broken or Risky Cryptographic Algorithm vulnerability report

high severity

Timing Attack

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.springframework.cloud:spring-cloud-starter-vault-config@4.3.0

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.cloud:spring-cloud-starter-vault-config@4.3.0 org.springframework.cloud:spring-cloud-starter@4.3.0 org.bouncycastle:bcprov-jdk18on@1.80
  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.cloud:spring-cloud-starter-vault-config@4.3.0 org.springframework.cloud:spring-cloud-vault-config@4.3.0 org.springframework.cloud:spring-cloud-starter@4.3.0 org.bouncycastle:bcprov-jdk18on@1.80

Overview

Affected versions of this package are vulnerable to Timing Attack through the sample and sample_matrix functions in FrodoEngine.java. An attacker can recover information about the sampled noise values by observing how long Frodo key generation or encapsulation takes when it processes attacker-influenced inputs. The variable-time comparison and sign handling in the error sampler leak the distribution of the generated samples, weakening the secrecy of the private Frodo noise and enabling key-recovery attacks against affected deployments.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.84 or higher.

References

Timing Attack vulnerability report

high severity

Improper Encoding or Escaping of Output

  • Vulnerable module: org.apache.logging.log4j:log4j-core
  • Introduced through: org.apache.logging.log4j:log4j-core@2.25.3

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.apache.logging.log4j:log4j-core@2.25.3
    Remediation: Upgrade to org.apache.logging.log4j:log4j-core@2.25.4.

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the XmlLayout plugin. An attacker can cause log events to be silently lost or malformed by injecting XML 1.0 forbidden characters into log messages or MDC values. This may result in malformed XML output, which can cause downstream log-processing systems to drop affected records or prevent log events from being delivered to their intended destinations.

Remediation

A fix was pushed into the master branch but not yet published.

References

Improper Encoding or Escaping of Output vulnerability report

high severity

Improper Encoding or Escaping of Output

  • Vulnerable module: org.apache.logging.log4j:log4j-core
  • Introduced through: org.apache.logging.log4j:log4j-core@2.25.3

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.apache.logging.log4j:log4j-core@2.25.3
    Remediation: Upgrade to org.apache.logging.log4j:log4j-core@2.25.4.

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Log4j1XmlLayout plugin. An attacker can cause log events to be silently lost or downstream log processing systems to drop or fail to index affected records by introducing XML 1.0 forbidden characters into log messages, resulting in malformed XML output that conforming XML parsers reject with a fatal error.

Remediation

A fix was pushed into the master branch but not yet published.

References

Improper Encoding or Escaping of Output vulnerability report

high severity

Improper Output Neutralization for Logs

  • Vulnerable module: org.apache.logging.log4j:log4j-core
  • Introduced through: org.apache.logging.log4j:log4j-core@2.25.3

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.apache.logging.log4j:log4j-core@2.25.3
    Remediation: Upgrade to org.apache.logging.log4j:log4j-core@2.25.4.

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the Rfc5424Layout plugin due to newLineEscape and useTlsMessageFormat configuration attributes being silently renamed, leading to improper handling of newline escaping for TCP framing and incorrect message formatting for TLS framing. An attacker can inject arbitrary log entries by supplying crafted CRLF sequences in log messages, potentially manipulating log output or bypassing log-based security controls.

Note:

This is only exploitable if the Rfc5424Layout is configured directly with affected attributes in stream-based syslog services.

Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

Remediation

A fix was pushed into the master branch but not yet published.

References

Improper Output Neutralization for Logs vulnerability report

medium severity
new

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.5.14

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.
  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.54 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the processing of HTTP/2 request headers. An attacker can cause unexpected behavior or potentially compromise the application by sending specially crafted HTTP/2 request headers.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity
new

Exposure of Private Personal Information to an Unauthorized Actor

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-websocket
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.5.14

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.

Overview

Affected versions of this package are vulnerable to Exposure of Private Personal Information to an Unauthorized Actor in WebSocket client during authentication. An attacker can obtain sensitive HTTP authentication headers by initiating a WebSocket handshake with a malicious host.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-websocket to version 8.0.1, 9.0.0.M1, 9.0.118, 10.1.55, 11.0.22 or higher.

References

Exposure of Private Personal Information to an Unauthorized Actor vulnerability report

medium severity

LDAP Injection

  • Vulnerable module: org.bouncycastle:bcprov-jdk18on
  • Introduced through: org.springframework.cloud:spring-cloud-starter-vault-config@4.3.0

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.cloud:spring-cloud-starter-vault-config@4.3.0 org.springframework.cloud:spring-cloud-starter@4.3.0 org.bouncycastle:bcprov-jdk18on@1.80
  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.cloud:spring-cloud-starter-vault-config@4.3.0 org.springframework.cloud:spring-cloud-vault-config@4.3.0 org.springframework.cloud:spring-cloud-starter@4.3.0 org.bouncycastle:bcprov-jdk18on@1.80

Overview

Affected versions of this package are vulnerable to LDAP Injection via the parseDN handling and the LDAP store helpers in X509LDAPCertStoreSpi and LDAPStoreHelper. An attacker can influence LDAP search filters by supplying a crafted X.500 subject or issuer string that is parsed into an unescaped filter value. This lets the attacker alter the directory query used to locate certificates and CRLs, causing the application to retrieve incorrect LDAP entries or fail to find the intended ones, which can break certificate validation and revocation checks.

Remediation

Upgrade org.bouncycastle:bcprov-jdk18on to version 1.84 or higher.

References

LDAP Injection vulnerability report

medium severity

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.apache.logging.log4j:log4j-core
  • Introduced through: org.apache.logging.log4j:log4j-core@2.25.3

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.apache.logging.log4j:log4j-core@2.25.3
    Remediation: Upgrade to org.apache.logging.log4j:log4j-core@2.25.4.

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component when configured through the verifyHostName attribute of the <Ssl> element. An attacker can intercept and manipulate network traffic by presenting a certificate issued by a trusted certificate authority to the appender's configured trust store, or the default Java trust store if none is configured. This is only exploitable if an SMTP, Socket, or Syslog appender is in use and TLS is configured via a nested element.

Note:

This issue is due to incomplete fix for CVE-2025-68161.

Remediation

A fix was pushed into the master branch but not yet published.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

medium severity
new

Timing Attack

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.5.14

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.
  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.54 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret is correct by sending many authentication attempts directly to the connector and measuring the time taken to compare secrets.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Timing Attack vulnerability report

medium severity
new

Improper Authorization

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.5.14

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.
  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.54 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authorization in the processing of security constraints when multiple method constraints define an HTTP method for the same extension. An attacker can gain unauthorized access to protected resources by crafting requests that exploit the improper application of these constraints.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Authorization vulnerability report

medium severity
new

Improper Handling of Case Sensitivity

  • Vulnerable module: org.apache.tomcat.embed:tomcat-embed-core
  • Introduced through: org.springframework.boot:spring-boot-starter-web@3.5.14

Detailed paths

  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.
  • Introduced through: uhawaii-system-its-ti-iam/uh-groupings-api@uhawaii-system-its-ti-iam/uh-groupings-api org.springframework.boot:spring-boot-starter-web@3.5.14 org.springframework.boot:spring-boot-starter-tomcat@3.5.14 org.apache.tomcat.embed:tomcat-embed-websocket@10.1.54 org.apache.tomcat.embed:tomcat-embed-core@10.1.54
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-web@4.0.0.

Overview

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the LockOutRealm function. An attacker can bypass account lockout protections by submitting usernames with different letter casing.

Remediation

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.118, 10.1.55, 11.0.22 or higher.

References

Improper Handling of Case Sensitivity vulnerability report