l00169942 / se Goto Github PK

Vulnerable Library - snakeyaml-1.27.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • ❌ snakeyaml-1.27.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Library - spring-expression-5.3.1.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.1/spring-expression-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-webmvc-5.3.1.jar
    • ❌ spring-expression-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.3.17

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.11

Vulnerable Library - spring-webmvc-5.3.1.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.1/spring-webmvc-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • ❌ spring-webmvc-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution (org.springframework:spring-webmvc): 5.3.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.15

Vulnerable Library - snakeyaml-1.27.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • ❌ snakeyaml-1.27.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Library - spring-expression-5.3.1.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.1/spring-expression-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-webmvc-5.3.1.jar
    • ❌ spring-expression-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.3.27

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.15

Vulnerable Library - spring-web-5.3.1.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.1/spring-web-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • ❌ spring-web-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-03-16

URL: CVE-2024-22259

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22259

Release Date: 2024-03-16

Fix Resolution (org.springframework:spring-web): 5.3.33

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • spring-boot-starter-logging-2.4.0.jar
      • ❌ logback-classic-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: cf6c170a41390a79faafdfad5b90e56ac73fde41

Found in base branch: master

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution (ch.qos.logback:logback-classic): 1.2.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.1

Vulnerable Library - snakeyaml-1.27.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • ❌ snakeyaml-1.27.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Library - snakeyaml-1.27.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • ❌ snakeyaml-1.27.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution (org.yaml:snakeyaml): 2.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.0

Vulnerable Library - jackson-databind-2.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-json-2.4.0.jar
    • ❌ jackson-databind-2.11.3.jar (Vulnerable Library)

Found in HEAD commit: cf6c170a41390a79faafdfad5b90e56ac73fde41

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.7.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.0

Vulnerable Library - snakeyaml-1.27.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • ❌ snakeyaml-1.27.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Library - snakeyaml-1.27.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • ❌ snakeyaml-1.27.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: SE/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • spring-boot-starter-logging-2.4.0.jar
      • ❌ logback-classic-1.2.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

LOGBack before 1.2.8 is vulnerable to Remote-Code-Execution (RCE) when the write access to 'logback.xml' and JNDI lookup are enabled.

Publish Date: 2021-12-13

URL: WS-2021-0491

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Vulnerable Library - spring-web-5.3.1.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.1/spring-web-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • ❌ spring-web-5.3.1.jar (Vulnerable Library)

Found in HEAD commit: cf6c170a41390a79faafdfad5b90e56ac73fde41

Found in base branch: master

Vulnerability Details

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

Publish Date: 2021-05-27

URL: CVE-2021-22118

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22118

Release Date: 2021-05-27

Fix Resolution (org.springframework:spring-web): 5.3.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.6

Vulnerable Library - jackson-databind-2.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-json-2.4.0.jar
    • ❌ jackson-databind-2.11.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-11-20

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.11.4

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.2

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • spring-boot-starter-logging-2.4.0.jar
      • logback-classic-1.2.3.jar
        • ❌ logback-core-1.2.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution (ch.qos.logback:logback-core): 1.2.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.2.1

Vulnerable Library - spring-boot-2.4.0.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/2.4.0/spring-boot-2.4.0.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • ❌ spring-boot-2.4.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable when all of the following are true:

• the application uses Spring MVC or Spring WebFlux
• org.springframework.boot:spring-boot-actuator is on the classpath

Publish Date: 2023-11-28

URL: CVE-2023-34055

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-34055

Release Date: 2023-11-28

Fix Resolution (org.springframework.boot:spring-boot): 2.7.18

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.7.18

Vulnerable Library - jackson-databind-2.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-json-2.4.0.jar
    • ❌ jackson-databind-2.11.3.jar (Vulnerable Library)

Found in HEAD commit: cf6c170a41390a79faafdfad5b90e56ac73fde41

Found in base branch: master

Vulnerability Details

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Publish Date: 2023-03-18

URL: CVE-2021-46877

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-46877

Release Date: 2023-03-18

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.8

Vulnerable Library - spring-web-5.3.1.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.1/spring-web-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • ❌ spring-web-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

Publish Date: 2024-02-23

URL: CVE-2024-22243

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22243

Release Date: 2024-02-23

Fix Resolution (org.springframework:spring-web): 5.3.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Library - spring-web-5.3.1.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.1/spring-web-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • ❌ spring-web-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks.

This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.

Publish Date: 2024-04-16

URL: CVE-2024-22262

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22262

Release Date: 2024-04-16

Fix Resolution (org.springframework:spring-web): 5.3.34

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Library - spring-beans-5.3.1.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.1/spring-beans-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-web-5.3.1.jar
    • ❌ spring-beans-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.3.18

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.12

Vulnerable Library - spring-web-5.3.1.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.1/spring-web-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • ❌ spring-web-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-10

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2021-22060

Release Date: 2022-01-10

Fix Resolution (org.springframework:spring-web): 5.3.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.8

Vulnerable Library - spring-beans-5.3.1.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.3.1/spring-beans-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-web-5.3.1.jar
    • ❌ spring-beans-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-beans): 5.3.20

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.14

Vulnerable Library - spring-web-5.3.1.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.1/spring-web-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • ❌ spring-web-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Mend Note: After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4wrc-f8pq-fpqp

Release Date: 2020-01-02

Fix Resolution (org.springframework:spring-web): 6.0.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Libraries - spring-web-5.3.1.jar, spring-webmvc-5.3.1.jar

Found in HEAD commit: cf6c170a41390a79faafdfad5b90e56ac73fde41

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-web): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.12

Fix Resolution (org.springframework:spring-webmvc): 5.3.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.12

Vulnerable Library - spring-expression-5.3.1.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.1/spring-expression-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-webmvc-5.3.1.jar
    • ❌ spring-expression-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.3.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.15

Vulnerable Library - jackson-databind-2.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-json-2.4.0.jar
    • ❌ jackson-databind-2.11.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.7.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.0

Vulnerable Library - spring-context-5.3.1.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.3.1/spring-context-5.3.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-webmvc-5.3.1.jar
    • ❌ spring-context-5.3.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution (org.springframework:spring-context): 5.3.19

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.13

Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar

Found in base branch: master

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution (ch.qos.logback:logback-core): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.8

Fix Resolution (ch.qos.logback:logback-classic): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.8

Vulnerable Library - jackson-databind-2.11.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-json-2.4.0.jar
    • ❌ jackson-databind-2.11.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.15

Vulnerable Library - snakeyaml-1.27.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.27/snakeyaml-1.27.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • ❌ snakeyaml-1.27.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

Vulnerable Library - spring-boot-autoconfigure-2.4.0.jar

Spring Boot AutoConfigure

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.4.0/spring-boot-autoconfigure-2.4.0.jar

Dependency Hierarchy:

• spring-boot-starter-web-2.4.0.jar (Root Library)
  • spring-boot-starter-2.4.0.jar
    • ❌ spring-boot-autoconfigure-2.4.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Publish Date: 2023-05-26

URL: CVE-2023-20883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20883

Release Date: 2023-05-26

Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 2.5.15

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.5.15