Giter VIP home page Giter VIP logo

hygieia-core's Introduction

Due to changes in the priorities, this project is currently not being supported. The project is archived as of 6/1/2023 and will be available in a read-only state. Please note, since archival, the project is not maintained or reviewed

We are excited to announce the transfer of Hygieia Project to its own GitHub Organization. This move is being made to allow for us to manage the apis and individual collectors in their own repositories which renders for better product management. All components of Hygieia are now available under the Hygieia Organization.

View our 2021 Hygieia Roadmap.

Pronunciation: hi-gee-ya (Origin: Greek)

Build Status Codacy Badge Maven Central License Gitter Chat

Documentation | Screenshots | Contribute | Contact

Hygieia3.0
About Icon Video Icon Architecture Icon
Framework Icon Install Icon Contributors Icon

hygieia-core's People

Contributors

alzafacon avatar andrewalvintran avatar aochsner avatar beasknees avatar benj58xu avatar chtompki avatar chzhanpeng avatar codeprc avatar courtneyp123 avatar cschristine avatar d-m-moriarty avatar danielyhuang avatar dcanar9 avatar heffrey avatar isuru89 avatar jar145 avatar kumarvarun1252 avatar miablo avatar nameisaravind avatar nescohen avatar nireesht avatar rvema avatar sandhya-rajasabeson avatar sbrenthughes avatar shriver135 avatar stevegal avatar subodhsbattina avatar sullis avatar tatlax3636 avatar vidhya9lakshmi avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

pparekh237 isuru89 sbrenthughes praveen-chaganti subodhsbattina dwasinge ansha1 kana112233 shishirchaturvedi tabladrum battinasubodh mnalsup mattbeal-tc brac10 daniel-ng nickstocks thrayee satheesh-balachandran stevegal d-m-moriarty kumarvarun1252 siddharth271 rnreshunaik kbwatts rohitrehantx tejaswinik46 t-mobile-ace plazolas sameer-shukur chtompki cah-brian-zupanc cookcodeblog strikingraghu aamol indumathi01 paruff eshavgupta doraig vbottu spectrumqube matt-mahdieh vrishank-gupta mollerrion youcefsaidi1 rfoster2575 heffrey gonchalo620 cah-amber-lu americanairlines abinassahoo aviam amberlu00 toolsqacn zeal11 khilangoel daniel14y70huang andersskovnielsen mukteshkrmishra shriver135 ysbre capacitacaodevops nyuyfoni13 praveenwhatfix saiyyadimran weizai118 wcatlyn-sbg sduggisetty yeashine navya-rayapati bhai840 shashwat13mishra zhangyaxu vdhajare agustingarciaflores pritamnegi-continuum vanessaanderson tomarskt sammyjumpstart23 prakshi10 ajeeshvl kryptonite4486 sullis nickgulrajani anjana-v-nair narayansinghjai rajmalviyan happysushil newgen-git sunilgupta1234 venkat-marina iamchetan subramaniaym rzheng7 prathmeshchauhan rpotnuru kreshnikpirevasection6 sindud18 gichelli cschristine pandoramedia

hygieia-core's Issues

CVE-2020-13956 (Medium) detected in httpclient-4.5.9.jar

CVE-2020-13956 - Medium Severity Vulnerability

Vulnerable Library - httpclient-4.5.9.jar

Apache HttpComponents Client

Library home page: http://hc.apache.org/

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: pository/org/apache/httpcomponents/httpclient/4.5.9/httpclient-4.5.9.jar

Dependency Hierarchy:

  • httpclient-4.5.9.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-07-21

Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3

Step up your Open Source Security Game with WhiteSource here

CVE-2022-22965 (High) detected in spring-beans-4.3.25.RELEASE.jar

CVE-2022-22965 - High Severity Vulnerability

Vulnerable Library - spring-beans-4.3.25.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.25.RELEASE/spring-beans-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • spring-web-5.2.9.RELEASE.jar (Root Library)
    • spring-beans-4.3.25.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework:spring-web): 5.3.0

Step up your Open Source Security Game with Mend here

CVE-2022-42003 (Medium) detected in jackson-databind-2.10.3.jar - autoclosed

CVE-2022-42003 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • jackson-databind-2.10.3.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

Not able to build in Windows 10

Hi all,
I couldn't able to build the hygieia-core project in Windows 10.

Steps to Reproduce:

  1. Clone the repo
  2. Open Command prompt/Power Shell
  3. Navigate to the cloned repo
  4. Run mvn clean install package

Expected:

Build to be successfull

Actual:

hygieia-core build error

CVE-2020-36518 (High) detected in jackson-databind-2.10.3.jar

CVE-2020-36518 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • jackson-databind-2.10.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2816

Release Date: 2022-03-11

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2023-20860 (High) detected in spring-webmvc-5.3.18.jar

CVE-2023-20860 - High Severity Vulnerability

Vulnerable Library - spring-webmvc-5.3.18.jar

Spring Web MVC

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/5.3.18/spring-webmvc-5.3.18.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.5.12.jar (Root Library)
    • spring-webmvc-5.3.18.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Publish Date: 2023-03-27

URL: CVE-2023-20860

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2023/03/21/this-week-in-spring-march-21st-2023/

Release Date: 2023-03-27

Fix Resolution (org.springframework:spring-webmvc): 5.3.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.0

Step up your Open Source Security Game with Mend here

CVE-2021-22118 (High) detected in spring-web-5.2.9.RELEASE.jar

CVE-2021-22118 - High Severity Vulnerability

Vulnerable Library - spring-web-5.2.9.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: pository/org/springframework/spring-web/5.2.9.RELEASE/spring-web-5.2.9.RELEASE.jar

Dependency Hierarchy:

  • spring-web-5.2.9.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

Publish Date: 2021-05-27

URL: CVE-2021-22118

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22118

Release Date: 2021-05-27

Fix Resolution: org.springframework:spring-web:5.2.15,5.3.7

Step up your Open Source Security Game with WhiteSource here

CVE-2022-31692 (High) detected in spring-security-web-5.5.7.jar - autoclosed

CVE-2022-31692 - High Severity Vulnerability

Vulnerable Library - spring-security-web-5.5.7.jar

Spring Security

Library home page: https://spring.io/projects/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.5.7/spring-security-web-5.5.7.jar

Dependency Hierarchy:

  • spring-boot-starter-security-2.5.13.jar (Root Library)
    • spring-security-web-5.5.7.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Spring Security, versions 5.7 prior to 5.7.5 and 5.6 prior to 5.6.9 could be susceptible to authorization rules bypass via forward or include dispatcher types. Specifically, an application is vulnerable when all of the following are true: The application expects that Spring Security applies security to forward and include dispatcher types. The application uses the AuthorizationFilter either manually or via the authorizeHttpRequests() method. The application configures the FilterChainProxy to apply to forward and/or include requests (e.g. spring.security.filter.dispatcher-types = request, error, async, forward, include). The application may forward or include the request to a higher privilege-secured endpoint.The application configures Spring Security to apply to every dispatcher type via authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)

Publish Date: 2022-10-31

URL: CVE-2022-31692

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-31692

Release Date: 2022-10-31

Fix Resolution: org.springframework.security:spring-security-web:5.6.9,5.7.5

Step up your Open Source Security Game with Mend here

Should the current SNAPSHOT version of Hygieia core be 3.5.9-SNAPSHOT

I see that the latest release version of Hygieia is 3.5.8. Considering that the current SNAPSHOT version for core should be 3.5.9-SNAPSHOT. I am curious why the current SNAPSHOT version of this project (hygieia-core) is 3.5.8-SNAPSHOT.

Reference -
During the release process, a version of x.y-SNAPSHOT changes to x.y. The release process also increments the development version to x.(y+1)-SNAPSHOT. For example, version 1.0-SNAPSHOT is released as version 1.0, and the new development version is version 1.1-SNAPSHOT.

CVE-2016-1000027 (High) detected in spring-web-5.2.9.RELEASE.jar

CVE-2016-1000027 - High Severity Vulnerability

Vulnerable Library - spring-web-5.2.9.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: pository/org/springframework/spring-web/5.2.9.RELEASE/spring-web-5.2.9.RELEASE.jar

Dependency Hierarchy:

  • spring-web-5.2.9.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: spring-projects/spring-framework#25379

Release Date: 2020-01-02

Fix Resolution: org.springframework:spring-web:5.3.0

Step up your Open Source Security Game with WhiteSource here

Maven Install Error

Affects: 3.9.1.

I am following instructions from https://github.com/Hygieia/Hygieia/blob/gh-pages/pages/hygieia/setup.md and when I am executing mvn clean install under \hygieia-core directory then I am getting the following error.

Results :

Tests run: 134, Failures: 0, Errors: 0, Skipped: 1

[INFO]
[INFO] --- jacoco-maven-plugin:0.8.5:report (default-report) @ core ---
[INFO] Loading execution data file D:\Hygieia\hygieia-core-master\target\jacoco.exec
[INFO] Analyzed bundle 'com.capitalone.dashboard:core' with 394 classes
[INFO]
[INFO] --- maven-jar-plugin:2.5:jar (default-jar) @ core ---
[INFO] Building jar: D:\Hygieia\hygieia-core-master\target\core-3.9.1.jar
[INFO]
[INFO] --- spring-boot-maven-plugin:1.3.6.RELEASE:repackage (default) @ core ---
[INFO]
[INFO] --- japicmp-maven-plugin:0.13.1:cmp (default) @ core ---
[INFO] Unable to find a previous version of the project in the repository.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  05:39 min
[INFO] Finished at: 2020-08-25T17:35:35-04:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal com.github.siom79.japicmp:japicmp-maven-plugin:0.13.1:cmp (default) on project core: Please provide at least one resolvable old version using one of the configuration elements <oldVersion/> or <oldVersions/>. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException

Thanks,
Monil

CVE-2020-13943 (Medium) detected in tomcat-embed-core-8.5.57.jar

CVE-2020-13943 - Medium Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.5.57.jar

Core Tomcat implementation

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.57/tomcat-embed-core-8.5.57.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-1.5.22.RELEASE.jar
      • tomcat-embed-core-8.5.57.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

Publish Date: 2020-10-12

URL: CVE-2020-13943

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r4a390027eb27e4550142fac6c8317cc684b157ae314d31514747f307%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2020-10-12

Fix Resolution: org.apache.tomcat:tomcat-coyote:8.5.58,9.0.38,10.0.0-M8;org.apache.tomcat.embed:tomcat-embed-core:8.5.58,9.0.38,10.0.0-M8

Step up your Open Source Security Game with WhiteSource here

CVE-2020-8908 (Low) detected in guava-29.0-jre.jar

CVE-2020-8908 - Low Severity Vulnerability

Vulnerable Library - guava-29.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: pository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar

Dependency Hierarchy:

  • guava-29.0-jre.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution: v30.0

Step up your Open Source Security Game with WhiteSource here

CVE-2021-42550 (Medium) detected in logback-classic-1.2.3.jar - autoclosed

CVE-2021-42550 - Medium Severity Vulnerability

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-security-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • spring-boot-starter-logging-1.5.22.RELEASE.jar
        • logback-classic-1.2.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://logback.qos.ch/news.html

Release Date: 2021-12-16

Fix Resolution: ch.qos.logback:logback-classic:1.2.8

Step up your Open Source Security Game with WhiteSource here

CVE-2021-25122 (High) detected in tomcat-embed-core-8.5.57.jar

CVE-2021-25122 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.5.57.jar

Core Tomcat implementation

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.57/tomcat-embed-core-8.5.57.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-1.5.22.RELEASE.jar
      • tomcat-embed-core-8.5.57.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Publish Date: 2021-03-01

URL: CVE-2021-25122

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2021-03-01

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:8.5.62,9.0.42,10.0.2;org.apache.tomcat:tomcat-coyote:8.5.62,9.0.42,10.0.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-22112 (High) detected in spring-security-web-4.2.18.RELEASE.jar

CVE-2021-22112 - High Severity Vulnerability

Vulnerable Library - spring-security-web-4.2.18.RELEASE.jar

spring-security-web

Library home page: https://spring.io/spring-security

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.18.RELEASE/spring-security-web-4.2.18.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-security-1.5.22.RELEASE.jar (Root Library)
    • spring-security-web-4.2.18.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Publish Date: 2021-02-23

URL: CVE-2021-22112

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22112

Release Date: 2021-02-23

Fix Resolution: org.springframework.security:spring-security-web:5.2.9,5.3.8,5.4.4

Step up your Open Source Security Game with WhiteSource here

CVE-2021-22096 (Medium) detected in multiple libraries

CVE-2021-22096 - Medium Severity Vulnerability

Vulnerable Libraries - spring-web-5.2.9.RELEASE.jar, spring-webmvc-4.3.25.RELEASE.jar, spring-core-4.3.25.RELEASE.jar

spring-web-5.2.9.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /pository/org/springframework/spring-web/5.2.9.RELEASE/spring-web-5.2.9.RELEASE.jar

Dependency Hierarchy:

  • spring-web-5.2.9.RELEASE.jar (Vulnerable Library)
spring-webmvc-4.3.25.RELEASE.jar

Spring Web MVC

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-webmvc/4.3.25.RELEASE/spring-webmvc-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • spring-webmvc-4.3.25.RELEASE.jar (Vulnerable Library)
spring-core-4.3.25.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.25.RELEASE/spring-core-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • spring-web-5.2.9.RELEASE.jar (Root Library)
    • spring-core-4.3.25.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution: org.springframework:spring-core:5.2.18.RELEASE,5.3.12;org.springframework:spring-web:5.2.18.RELEASE,5.3.12;org.springframework:spring-webmvc:5.2.18.RELEASE,5.3.12;org.springframework:spring-webflux:5.2.18.RELEASE,5.3.12

Step up your Open Source Security Game with WhiteSource here

WS-2021-0616 (Medium) detected in jackson-databind-2.10.3.jar

WS-2021-0616 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • jackson-databind-2.10.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#3328

Release Date: 2021-11-20

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.11.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2022-22970 (High) detected in spring-beans-4.3.25.RELEASE.jar, spring-core-4.3.25.RELEASE.jar

CVE-2022-22970 - High Severity Vulnerability

Vulnerable Libraries - spring-beans-4.3.25.RELEASE.jar, spring-core-4.3.25.RELEASE.jar

spring-beans-4.3.25.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.25.RELEASE/spring-beans-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • spring-web-5.2.9.RELEASE.jar (Root Library)
    • spring-beans-4.3.25.RELEASE.jar (Vulnerable Library)
spring-core-4.3.25.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.25.RELEASE/spring-core-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • spring-web-5.2.9.RELEASE.jar (Root Library)
    • spring-core-4.3.25.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-beans): 5.3.20

Direct dependency fix Resolution (org.springframework:spring-web): 5.3.20

Fix Resolution (org.springframework:spring-core): 5.3.20

Direct dependency fix Resolution (org.springframework:spring-web): 5.3.20

Step up your Open Source Security Game with Mend here

commit - 378c97c993588971efbbaee387b70de84a3c2c0d

Affects: <hygieia-core-version-number>.

Check diff for above commit -> 378c97c#diff-78720a6741a87da7354434f03814ec4c4cbf5ac4f3d1932e5db38f348d13d3dc

Where is "CollectorType.Product" is associated with the component of team dashboard? unable to understand changes in "processBuild and processFailedBuild where one tries to fetch Product collector for a component of Team application.
List<CollectorItem> productCIs = component.getCollectorItems(CollectorType.Product); for(CollectorItem productCI : productCIs) {
Earlier code appeared to be correct, as pipelines are associated with Team Dashboards.

Appreciate your guidance.

CVE-2022-27772 (High) detected in spring-boot-1.5.22.RELEASE.jar

CVE-2022-27772 - High Severity Vulnerability

Vulnerable Library - spring-boot-1.5.22.RELEASE.jar

Spring Boot

Library home page: https://projects.spring.io/spring-boot/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/1.5.22.RELEASE/spring-boot-1.5.22.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-security-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • spring-boot-1.5.22.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.

Publish Date: 2022-03-30

URL: CVE-2022-27772

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-cm59-pr5q-cw85

Release Date: 2022-03-30

Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-security): 2.2.11.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2021-25329 (High) detected in tomcat-embed-core-8.5.57.jar

CVE-2021-25329 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.5.57.jar

Core Tomcat implementation

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.57/tomcat-embed-core-8.5.57.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-1.5.22.RELEASE.jar
      • tomcat-embed-core-8.5.57.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Publish Date: 2021-03-01

URL: CVE-2021-25329

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E

Release Date: 2021-03-01

Fix Resolution: org.apache.tomcat:tomcat:7.0.108, org.apache.tomcat:tomcat:8.5.63, org.apache.tomcat:tomcat:9.0.43,org.apache.tomcat:tomcat:10.0.2

Step up your Open Source Security Game with WhiteSource here

CVE-2021-22060 (Medium) detected in spring-web-5.2.9.RELEASE.jar

CVE-2021-22060 - Medium Severity Vulnerability

Vulnerable Library - spring-web-5.2.9.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /pository/org/springframework/spring-web/5.2.9.RELEASE/spring-web-5.2.9.RELEASE.jar

Dependency Hierarchy:

  • spring-web-5.2.9.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-10

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6gf2-pvqw-37ph

Release Date: 2022-01-10

Fix Resolution: 5.2.19.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-10693 (Medium) detected in hibernate-validator-5.3.6.Final.jar

CVE-2020-10693 - Medium Severity Vulnerability

Vulnerable Library - hibernate-validator-5.3.6.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.3.6.Final/hibernate-validator-5.3.6.Final.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • hibernate-validator-5.3.6.Final.jar (Vulnerable Library)

Found in HEAD commit: 226db6c94a70cf978d11865340b7bb5440b7e7c8

Found in base branch: master

Vulnerability Details

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Publish Date: 2020-05-06

URL: CVE-2020-10693

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hibernate.atlassian.net/projects/HV/issues/HV-1774

Release Date: 2020-05-06

Fix Resolution: org.hibernate:hibernate-validator:6.0.20.Final,6.1.5.Final

Step up your Open Source Security Game with WhiteSource here

CVE-2020-25649 (High) detected in jackson-databind-2.10.3.jar

CVE-2020-25649 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • jackson-databind-2.10.3.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Publish Date: 2020-12-03

URL: CVE-2020-25649

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2589

Release Date: 2020-12-03

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.4,2.9.10.7,2.10.5.1,2.11.0.rc1

Step up your Open Source Security Game with WhiteSource here

CVE-2023-20861 (Medium) detected in spring-expression-5.3.18.jar

CVE-2023-20861 - Medium Severity Vulnerability

Vulnerable Library - spring-expression-5.3.18.jar

Spring Expression Language (SpEL)

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.18/spring-expression-5.3.18.jar

Dependency Hierarchy:

  • spring-data-mongodb-3.4.1.jar (Root Library)
    • spring-expression-5.3.18.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://securityonline.info/cve-2023-20860-high-severity-vulnerability-in-spring-framework/

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.3.25

Direct dependency fix Resolution (org.springframework.data:spring-data-mongodb): 3.4.7

Step up your Open Source Security Game with Mend here

WS-2021-0491 (Medium) detected in logback-classic-1.2.3.jar - autoclosed

WS-2021-0491 - Medium Severity Vulnerability

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-security-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-1.5.22.RELEASE.jar
      • spring-boot-starter-logging-1.5.22.RELEASE.jar
        • logback-classic-1.2.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

LOGBack before 1.2.8 is vulnerable to Remote-Code-Execution (RCE) when the write access to 'logback.xml' and JNDI lookup are enabled.

Publish Date: 2021-12-13

URL: WS-2021-0491

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

CVE-2022-42004 (Medium) detected in jackson-databind-2.10.3.jar - autoclosed

CVE-2022-42004 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.10.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.3/jackson-databind-2.10.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • jackson-databind-2.10.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.13.4

Step up your Open Source Security Game with Mend here

user maven-wrapper

https://github.com/takari/maven-wrapper

The Maven Wrapper is an excellent choice for projects that need a specific version of Maven (or for users that don’t want to install Maven at all). Instead of installing many versions of it in the operating system, we can just use the project-specific wrapper script.

Package clashes

This package structure clashed with the package structure in Hygieia/api package which will lead to unpredictable loading order (across OS) if there are any name clashes in classes.

CVE-2021-43980 (Medium) detected in tomcat-embed-core-9.0.48.jar - autoclosed

CVE-2021-43980 - Medium Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.48.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.48/tomcat-embed-core-9.0.48.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-1.5.22.RELEASE.jar
      • tomcat-embed-core-9.0.48.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Publish Date: 2022-09-28

URL: CVE-2021-43980

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3

Release Date: 2022-09-28

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.62

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

WS-2020-0293 (Medium) detected in spring-security-web-4.2.18.RELEASE.jar

WS-2020-0293 - Medium Severity Vulnerability

Vulnerable Library - spring-security-web-4.2.18.RELEASE.jar

spring-security-web

Library home page: https://spring.io/spring-security

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.18.RELEASE/spring-security-web-4.2.18.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-security-1.5.22.RELEASE.jar (Root Library)
    • spring-security-web-4.2.18.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

Spring Security before 5.2.9, 5.3.7, and 5.4.3 vulnerable to side-channel attacks. Vulnerable versions of Spring Security don't use constant time comparisons for CSRF tokens.

Publish Date: 2020-12-17

URL: WS-2020-0293

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: spring-projects/spring-security#9291

Release Date: 2020-12-17

Fix Resolution: org.springframework.security:spring-security-web:5.2.9,5.3.7,5.4.3

Step up your Open Source Security Game with WhiteSource here

CVE-2022-22950 (Medium) detected in spring-expression-4.3.25.RELEASE.jar

CVE-2022-22950 - Medium Severity Vulnerability

Vulnerable Library - spring-expression-4.3.25.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/4.3.25.RELEASE/spring-expression-4.3.25.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-security-1.5.22.RELEASE.jar (Root Library)
    • spring-security-web-4.2.18.RELEASE.jar
      • spring-expression-4.3.25.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-security): 2.5.0

Step up your Open Source Security Game with Mend here

CVE-2023-20863 (Medium) detected in spring-expression-5.3.18.jar

CVE-2023-20863 - Medium Severity Vulnerability

Vulnerable Library - spring-expression-5.3.18.jar

Spring Expression Language (SpEL)

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.3.18/spring-expression-5.3.18.jar

Dependency Hierarchy:

  • spring-data-mongodb-3.4.1.jar (Root Library)
    • spring-expression-5.3.18.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.3.27

Direct dependency fix Resolution (org.springframework.data:spring-data-mongodb): 4.0.0

Step up your Open Source Security Game with Mend here

Maven build failing for version 3.6.8

Affects: Version 3.6.8>.
While performing a fresh installation of Hygieia on my Mac, the Maven build of hygiea-core fails with the following message:

image

When I revert back to version 3.6.7 the build was successful.

CVE-2021-24122 (Medium) detected in tomcat-embed-core-8.5.57.jar

CVE-2021-24122 - Medium Severity Vulnerability

Vulnerable Library - tomcat-embed-core-8.5.57.jar

Core Tomcat implementation

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.57/tomcat-embed-core-8.5.57.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-1.5.22.RELEASE.jar
      • tomcat-embed-core-8.5.57.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

Publish Date: 2021-01-14

URL: CVE-2021-24122

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122

Release Date: 2021-01-14

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.107,8.5.60,9.0.40,10.0.0-M10;org.apache.tomcat:tomcat-catalina:7.0.107,8.5.60,9.0.40,10.0.0-M10

Step up your Open Source Security Game with WhiteSource here

WS-2016-7107 (Medium) detected in spring-security-web-4.2.18.RELEASE.jar

WS-2016-7107 - Medium Severity Vulnerability

Vulnerable Library - spring-security-web-4.2.18.RELEASE.jar

spring-security-web

Library home page: https://spring.io/spring-security

Path to dependency file: hygieia-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.18.RELEASE/spring-security-web-4.2.18.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-security-1.5.22.RELEASE.jar (Root Library)
    • spring-security-web-4.2.18.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e837996a29bfa18de6543ca1ff20007320eb612d

Found in base branch: master

Vulnerability Details

CSRF tokens in Spring Security through 5.4.6 are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.

Publish Date: 2016-08-02

URL: WS-2016-7107

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with WhiteSource here

CVE-2022-23181 (High) detected in tomcat-embed-core-9.0.48.jar

CVE-2022-23181 - High Severity Vulnerability

Vulnerable Library - tomcat-embed-core-9.0.48.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.48/tomcat-embed-core-9.0.48.jar

Dependency Hierarchy:

  • spring-boot-starter-web-1.5.22.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-1.5.22.RELEASE.jar
      • tomcat-embed-core-9.0.48.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

Publish Date: 2022-01-27

URL: CVE-2022-23181

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9

Release Date: 2022-01-27

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.58

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.