mybatis-plus >= 3.5.3.1 but got CVE-2023-25330

[nicliuqi]

IDs

CVE-2023-25330

Description

The content of the pom.xml is

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
        <modelVersion>4.0.0</modelVersion>
        <parent>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-parent</artifactId>
                <version>3.1.0</version>
                <relativePath/> <!-- lookup parent from repository -->
        </parent>
        <groupId>com.easyedit</groupId>
        <artifactId>easyedit</artifactId>
        <version>0.0.1-SNAPSHOT</version>
        <name>easyedit</name>
        <description>Demo project for Spring Boot</description>
        <properties>
                <java.version>17</java.version>
        </properties>
        <dependencies>

                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-cache</artifactId>
                        <version>3.0.5</version>
                </dependency>

                <dependency>
                        <groupId>net.sf.ehcache</groupId>
                        <artifactId>ehcache</artifactId>
                        <version>2.10.9.2</version>
                </dependency>


                <dependency>
                        <groupId>p6spy</groupId>
                        <artifactId>p6spy</artifactId>
                        <version>3.9.1</version>
                </dependency>

                <dependency>
                        <groupId>mysql</groupId>
                        <artifactId>mysql-connector-java</artifactId>
                        <version>8.0.32</version>
                </dependency>

                <dependency>
                        <groupId>com.baomidou</groupId>
                        <artifactId>mybatis-plus-generator</artifactId>
                        <version>3.5.3.1</version>
                </dependency>


                <dependency>
                        <groupId>com.baomidou</groupId>
                        <artifactId>mybatis-plus-boot-starter</artifactId>
                        <version>3.5.3.1</version>
                </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-freemarker</artifactId>
        </dependency>

                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-web</artifactId>
                </dependency>

                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-devtools</artifactId>
                        <scope>runtime</scope>
                        <optional>true</optional>
                </dependency>
                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-test</artifactId>
                        <scope>test</scope>
                </dependency>
                <dependency>
            <groupId>com.mashape.unirest</groupId>
            <artifactId>unirest-java</artifactId>
            <version>1.4.9</version>
        </dependency>
        </dependencies>

        <build>
                <plugins>
                        <plugin>
                                <groupId>org.springframework.boot</groupId>
                                <artifactId>spring-boot-maven-plugin</artifactId>
                        </plugin>
                </plugins>
        </build>

        <repositories>
        <repository>
                        <id>aliyunmaven</id>
                        <name>aliyunmaven</name>
                        <url>https://maven.aliyun.com/repository/public</url>
                        <layout>default</layout>
                        <releases>
                                <enabled>true</enabled>
                        </releases>
                        <snapshots>
                                <enabled>true</enabled>
                        </snapshots>
                </repository>
    <repository>
                        <id>central</id>
                        <url>https://maven.aliyun.com/repository/central/</url>
                </repository>
  </repositories>

  <pluginRepositories>
                <pluginRepository>
                        <id>aliyun-plugin</id>
                        <url>https://maven.aliyun.com/repository/public</url>
                        <releases>
                                <enabled>true</enabled>
                        </releases>
                        <snapshots>
                                <enabled>false</enabled>
                        </snapshots>
                </pluginRepository>
        </pluginRepositories>

</project>

After scan the pom.xml, the report is unexpected. There seems to report a CRITICAL vulnerability which number is CVE-2023-25330. The description of it says "A SQL injection vulnerability in Mybatis plus below 3.5.3.1 allows remote attackers to execute arbitrary SQL commands via the tenant ID valuer."

But the 3.5.3.1 version of mybatis-plus should not be matched.

Reproduction Steps

1.download trivy 0.48.0
2.save the pom.xml locally
3.execute command "trivy fs pom.xml"
...

Target

Filesystem

Scanner

Vulnerability

Target OS

Ubuntu 20.04

Debug Output

[root@e2460aab34a7 tmp]# trivy fs pom.xml --debug
2024-01-23T07:17:04.471Z	DEBUG	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-23T07:17:04.472Z	DEBUG	Ignore statuses	{"statuses": null}
2024-01-23T07:17:04.484Z	DEBUG	cache dir:  /root/.cache/trivy
2024-01-23T07:17:04.485Z	DEBUG	DB update was skipped because the local DB is the latest
2024-01-23T07:17:04.485Z	DEBUG	DB Schema: 2, UpdatedAt: 2024-01-23 06:12:07.273577404 +0000 UTC, NextUpdate: 2024-01-23 12:12:07.273577103 +0000 UTC, DownloadedAt: 2024-01-23 06:54:27.393141086 +0000 UTC
2024-01-23T07:17:04.485Z	INFO	Vulnerability scanning is enabled
2024-01-23T07:17:04.485Z	DEBUG	Vulnerability type:  [os library]
2024-01-23T07:17:04.485Z	INFO	Secret scanning is enabled
2024-01-23T07:17:04.485Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-23T07:17:04.485Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-01-23T07:17:04.485Z	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-23T07:17:04.485Z	DEBUG	No secret config detected: trivy-secret.yaml
2024-01-23T07:17:04.485Z	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-01-23T07:17:04.485Z	DEBUG	Walk the file tree rooted at 'easyeditor-server' in parallel
2024-01-23T07:17:04.486Z	DEBUG	Start parent: org.springframework.boot:spring-boot-starter-parent:3.1.0
2024-01-23T07:17:04.537Z	DEBUG	Start parent: org.springframework.boot:spring-boot-dependencies:3.1.0
2024-01-23T07:17:04.552Z	DEBUG	Exit parent: org.springframework.boot:spring-boot-dependencies:3.1.0
2024-01-23T07:17:04.552Z	DEBUG	Exit parent: org.springframework.boot:spring-boot-starter-parent:3.1.0
2024-01-23T07:17:04.554Z	DEBUG	Resolving org.assertj:assertj-bom:3.24.2...
2024-01-23T07:17:04.557Z	DEBUG	Resolving io.zipkin.brave:brave-bom:5.15.1...
2024-01-23T07:17:04.561Z	DEBUG	Resolving com.datastax.oss:java-driver-bom:4.15.0...
2024-01-23T07:17:04.564Z	DEBUG	Resolving io.dropwizard.metrics:metrics-bom:4.2.18...
2024-01-23T07:17:04.567Z	DEBUG	Start parent: io.dropwizard.metrics:metrics-parent:4.2.18
2024-01-23T07:17:04.571Z	DEBUG	Exit parent: io.dropwizard.metrics:metrics-parent:4.2.18
2024-01-23T07:17:04.572Z	DEBUG	Resolving org.glassfish.jaxb:jaxb-bom:4.0.2...
2024-01-23T07:17:04.576Z	DEBUG	Start parent: org.eclipse.ee4j:project:1.0.8
2024-01-23T07:17:04.579Z	DEBUG	Exit parent: org.eclipse.ee4j:project:1.0.8
2024-01-23T07:17:04.579Z	DEBUG	Resolving org.apache.groovy:groovy-bom:4.0.12...
2024-01-23T07:17:04.591Z	DEBUG	Resolving org.infinispan:infinispan-bom:14.0.9.Final...
2024-01-23T07:17:04.595Z	DEBUG	Start parent: org.infinispan:infinispan-build-configuration-parent:14.0.9.Final
2024-01-23T07:17:04.598Z	DEBUG	Start parent: org.jboss:jboss-parent:39
2024-01-23T07:17:04.604Z	DEBUG	Exit parent: org.jboss:jboss-parent:39
2024-01-23T07:17:04.604Z	DEBUG	Exit parent: org.infinispan:infinispan-build-configuration-parent:14.0.9.Final
2024-01-23T07:17:04.605Z	DEBUG	Resolving com.fasterxml.jackson:jackson-bom:2.15.0...
2024-01-23T07:17:04.609Z	DEBUG	Start parent: com.fasterxml.jackson:jackson-parent:2.15
2024-01-23T07:17:04.613Z	DEBUG	Start parent: com.fasterxml:oss-parent:50
2024-01-23T07:17:04.617Z	DEBUG	Exit parent: com.fasterxml:oss-parent:50
2024-01-23T07:17:04.617Z	DEBUG	Exit parent: com.fasterxml.jackson:jackson-parent:2.15
2024-01-23T07:17:04.618Z	DEBUG	Resolving org.glassfish.jersey:jersey-bom:3.1.1...
2024-01-23T07:17:04.622Z	DEBUG	Start parent: org.eclipse.ee4j:project:1.0.8
2024-01-23T07:17:04.622Z	DEBUG	Exit parent: org.eclipse.ee4j:project:1.0.8
2024-01-23T07:17:04.623Z	DEBUG	Resolving org.eclipse.jetty:jetty-bom:11.0.15...
2024-01-23T07:17:04.628Z	DEBUG	Resolving org.junit:junit-bom:5.9.3...
2024-01-23T07:17:04.631Z	DEBUG	Resolving org.jetbrains.kotlin:kotlin-bom:1.8.21...
2024-01-23T07:17:04.644Z	DEBUG	Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.6.4...
2024-01-23T07:17:04.648Z	DEBUG	Resolving org.apache.logging.log4j:log4j-bom:2.20.0...
2024-01-23T07:17:04.651Z	DEBUG	Start parent: org.apache.logging:logging-parent:7
2024-01-23T07:17:04.654Z	DEBUG	Start parent: org.apache:apache:27
2024-01-23T07:17:04.658Z	DEBUG	Exit parent: org.apache:apache:27
2024-01-23T07:17:04.658Z	DEBUG	Exit parent: org.apache.logging:logging-parent:7
2024-01-23T07:17:04.663Z	DEBUG	Resolving io.micrometer:micrometer-bom:1.11.0...
2024-01-23T07:17:04.673Z	DEBUG	Resolving io.micrometer:micrometer-tracing-bom:1.1.1...
2024-01-23T07:17:04.677Z	DEBUG	Resolving org.mockito:mockito-bom:5.3.1...
2024-01-23T07:17:04.681Z	DEBUG	Resolving io.netty:netty-bom:4.1.92.Final...
2024-01-23T07:17:04.684Z	DEBUG	Start parent: org.sonatype.oss:oss-parent:7
2024-01-23T07:17:04.687Z	DEBUG	Exit parent: org.sonatype.oss:oss-parent:7
2024-01-23T07:17:04.688Z	DEBUG	Resolving com.squareup.okhttp3:okhttp-bom:4.10.0...
2024-01-23T07:17:04.692Z	DEBUG	Resolving io.opentelemetry:opentelemetry-bom:1.25.0...
2024-01-23T07:17:04.695Z	DEBUG	Resolving com.oracle.database.jdbc:ojdbc-bom:21.9.0.0...
2024-01-23T07:17:04.699Z	DEBUG	Resolving io.prometheus:simpleclient_bom:0.16.0...
2024-01-23T07:17:04.702Z	DEBUG	Start parent: io.prometheus:parent:0.16.0
2024-01-23T07:17:04.705Z	DEBUG	Exit parent: io.prometheus:parent:0.16.0
2024-01-23T07:17:04.706Z	DEBUG	Resolving com.querydsl:querydsl-bom:5.0.0...
2024-01-23T07:17:04.710Z	DEBUG	Resolving io.projectreactor:reactor-bom:2022.0.7...
2024-01-23T07:17:04.715Z	DEBUG	Resolving io.rest-assured:rest-assured-bom:5.3.0...
2024-01-23T07:17:04.722Z	DEBUG	Resolving io.rsocket:rsocket-bom:1.1.3...
2024-01-23T07:17:04.726Z	DEBUG	Resolving org.springframework.batch:spring-batch-bom:5.0.2...
2024-01-23T07:17:04.729Z	DEBUG	Resolving org.springframework.data:spring-data-bom:2023.0.0...
2024-01-23T07:17:04.735Z	DEBUG	Resolving org.springframework:spring-framework-bom:6.0.9...
2024-01-23T07:17:04.740Z	DEBUG	Resolving org.springframework.integration:spring-integration-bom:6.1.0...
2024-01-23T07:17:04.754Z	DEBUG	Resolving org.springframework.restdocs:spring-restdocs-bom:3.0.0...
2024-01-23T07:17:04.758Z	DEBUG	Resolving org.springframework.security:spring-security-bom:6.1.0...
2024-01-23T07:17:04.763Z	DEBUG	Resolving org.springframework.session:spring-session-bom:3.1.0...
2024-01-23T07:17:04.768Z	DEBUG	Resolving org.springframework.ws:spring-ws-bom:4.0.4...
2024-01-23T07:17:04.771Z	DEBUG	Resolving org.testcontainers:testcontainers-bom:1.18.0...
2024-01-23T07:17:04.806Z	DEBUG	Resolving org.springframework.boot:spring-boot-starter-cache:3.0.5...
2024-01-23T07:17:04.813Z	DEBUG	Resolving net.sf.ehcache:ehcache:2.10.9.2...
2024-01-23T07:17:04.818Z	DEBUG	Start parent: net.sf.ehcache:ehcache-root:2.10.9.2
2024-01-23T07:17:04.821Z	DEBUG	Start parent: net.sf.ehcache:ehcache-parent:2.25
2024-01-23T07:17:04.857Z	DEBUG	Exit parent: net.sf.ehcache:ehcache-parent:2.25
2024-01-23T07:17:04.857Z	DEBUG	Exit parent: net.sf.ehcache:ehcache-root:2.10.9.2
2024-01-23T07:17:04.857Z	DEBUG	Resolving p6spy:p6spy:3.9.1...
2024-01-23T07:17:04.860Z	DEBUG	Resolving mysql:mysql-connector-java:8.0.32...
2024-01-23T07:17:04.864Z	DEBUG	Resolving com.baomidou:mybatis-plus-generator:3.5.3.1...
2024-01-23T07:17:04.869Z	DEBUG	Resolving com.baomidou:mybatis-plus-boot-starter:3.5.3.1...
2024-01-23T07:17:04.872Z	DEBUG	Resolving org.springframework.boot:spring-boot-dependencies:2.5.3...
2024-01-23T07:17:04.884Z	DEBUG	Resolving org.springframework.boot:spring-boot-starter-freemarker:3.1.0...
2024-01-23T07:17:04.890Z	DEBUG	Resolving org.springframework.boot:spring-boot-starter-web:3.1.0...
2024-01-23T07:17:04.895Z	DEBUG	Resolving com.mashape.unirest:unirest-java:1.4.9...
2024-01-23T07:17:04.898Z	DEBUG	Start parent: org.sonatype.oss:oss-parent:7
2024-01-23T07:17:04.898Z	DEBUG	Exit parent: org.sonatype.oss:oss-parent:7
2024-01-23T07:17:04.900Z	DEBUG	Resolving org.springframework.boot:spring-boot-starter:3.1.0...
2024-01-23T07:17:04.906Z	DEBUG	Resolving org.springframework:spring-context-support:6.0.9...
2024-01-23T07:17:04.911Z	DEBUG	Resolving org.slf4j:slf4j-api:2.0.7...
2024-01-23T07:17:04.914Z	DEBUG	Start parent: org.slf4j:slf4j-parent:2.0.7
2024-01-23T07:17:04.922Z	DEBUG	Exit parent: org.slf4j:slf4j-parent:2.0.7
2024-01-23T07:17:04.922Z	DEBUG	Resolving com.baomidou:mybatis-plus:3.5.3.1...
2024-01-23T07:17:04.925Z	DEBUG	Resolving org.springframework.boot:spring-boot-autoconfigure:3.1.0...
2024-01-23T07:17:11.103Z	DEBUG	Resolving org.springframework.boot:spring-boot-starter-jdbc:3.1.0...
2024-01-23T07:17:11.108Z	DEBUG	Resolving org.freemarker:freemarker:2.3.32...
2024-01-23T07:17:11.112Z	DEBUG	Start parent: org.apache:apache:17
2024-01-23T07:17:11.115Z	DEBUG	Exit parent: org.apache:apache:17
2024-01-23T07:17:11.115Z	DEBUG	Resolving org.springframework.boot:spring-boot-starter-json:3.1.0...
2024-01-23T07:17:11.120Z	DEBUG	Resolving org.springframework.boot:spring-boot-starter-tomcat:3.1.0...
2024-01-23T07:17:11.124Z	DEBUG	Resolving org.springframework:spring-web:6.0.9...
2024-01-23T07:17:11.129Z	DEBUG	Resolving org.springframework:spring-webmvc:6.0.9...
2024-01-23T07:17:11.134Z	DEBUG	Resolving org.apache.httpcomponents:httpclient:4.5.2...
2024-01-23T07:17:11.137Z	DEBUG	Start parent: org.apache.httpcomponents:httpcomponents-client:4.5.2
2024-01-23T07:17:11.141Z	DEBUG	Start parent: org.apache.httpcomponents:project:7
2024-01-23T07:17:11.145Z	DEBUG	Start parent: org.apache:apache:13
2024-01-23T07:17:11.148Z	DEBUG	Exit parent: org.apache:apache:13
2024-01-23T07:17:11.148Z	DEBUG	Exit parent: org.apache.httpcomponents:project:7
2024-01-23T07:17:11.148Z	DEBUG	Exit parent: org.apache.httpcomponents:httpcomponents-client:4.5.2
2024-01-23T07:17:11.149Z	DEBUG	Resolving org.apache.httpcomponents:httpasyncclient:4.1.5...
2024-01-23T07:17:11.152Z	DEBUG	Start parent: org.apache.httpcomponents:httpcomponents-asyncclient:4.1.5
2024-01-23T07:17:11.155Z	DEBUG	Start parent: org.apache.httpcomponents:httpcomponents-parent:11
2024-01-23T07:17:11.161Z	DEBUG	Start parent: org.apache:apache:21
2024-01-23T07:17:11.165Z	DEBUG	Exit parent: org.apache:apache:21
2024-01-23T07:17:11.165Z	DEBUG	Exit parent: org.apache.httpcomponents:httpcomponents-parent:11
2024-01-23T07:17:11.165Z	DEBUG	Exit parent: org.apache.httpcomponents:httpcomponents-asyncclient:4.1.5
2024-01-23T07:17:11.166Z	DEBUG	Resolving org.apache.httpcomponents:httpmime:4.5.2...
2024-01-23T07:17:11.170Z	DEBUG	Start parent: org.apache.httpcomponents:httpcomponents-client:4.5.2
2024-01-23T07:17:11.170Z	DEBUG	Exit parent: org.apache.httpcomponents:httpcomponents-client:4.5.2
2024-01-23T07:17:11.170Z	DEBUG	Resolving org.json:json:20160212...
2024-01-23T07:17:11.173Z	DEBUG	Start parent: org.sonatype.oss:oss-parent:9
2024-01-23T07:17:11.178Z	DEBUG	Exit parent: org.sonatype.oss:oss-parent:9
2024-01-23T07:17:11.179Z	DEBUG	Resolving org.springframework.boot:spring-boot:3.1.0...
2024-01-23T07:17:11.186Z	DEBUG	Resolving org.springframework.boot:spring-boot-starter-logging:3.1.0...
2024-01-23T07:17:11.190Z	DEBUG	Resolving jakarta.annotation:jakarta.annotation-api:2.1.1...
2024-01-23T07:17:11.194Z	DEBUG	Start parent: org.eclipse.ee4j:project:1.0.7
2024-01-23T07:17:11.197Z	DEBUG	Exit parent: org.eclipse.ee4j:project:1.0.7
2024-01-23T07:17:11.197Z	DEBUG	Resolving org.springframework:spring-core:6.0.9...
2024-01-23T07:17:12.753Z	DEBUG	Resolving org.yaml:snakeyaml:1.33...
2024-01-23T07:17:12.758Z	DEBUG	Resolving org.springframework:spring-beans:6.0.9...
2024-01-23T07:17:13.545Z	DEBUG	Resolving org.springframework:spring-context:6.0.9...
2024-01-23T07:17:13.550Z	DEBUG	Resolving com.baomidou:mybatis-plus-extension:3.5.3.1...
2024-01-23T07:17:13.556Z	DEBUG	Resolving com.zaxxer:HikariCP:5.0.1...
2024-01-23T07:17:13.560Z	DEBUG	Start parent: org.sonatype.oss:oss-parent:9
2024-01-23T07:17:13.560Z	DEBUG	Exit parent: org.sonatype.oss:oss-parent:9
2024-01-23T07:17:13.565Z	DEBUG	Resolving org.springframework:spring-jdbc:6.0.9...
2024-01-23T07:17:13.574Z	DEBUG	Resolving com.fasterxml.jackson.core:jackson-databind:2.15.0...
2024-01-23T07:17:13.578Z	DEBUG	Start parent: com.fasterxml.jackson:jackson-base:2.15.0
2024-01-23T07:17:13.581Z	DEBUG	Start parent: com.fasterxml.jackson:jackson-bom:2.15.0
2024-01-23T07:17:13.581Z	DEBUG	Exit parent: com.fasterxml.jackson:jackson-bom:2.15.0
2024-01-23T07:17:13.581Z	DEBUG	Exit parent: com.fasterxml.jackson:jackson-base:2.15.0
2024-01-23T07:17:13.584Z	DEBUG	Resolving com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.15.0...
2024-01-23T07:17:13.593Z	DEBUG	Start parent: com.fasterxml.jackson.module:jackson-modules-java8:2.15.0
2024-01-23T07:17:13.597Z	DEBUG	Start parent: com.fasterxml.jackson:jackson-base:2.15.0
2024-01-23T07:17:13.597Z	DEBUG	Exit parent: com.fasterxml.jackson:jackson-base:2.15.0
2024-01-23T07:17:13.597Z	DEBUG	Exit parent: com.fasterxml.jackson.module:jackson-modules-java8:2.15.0
2024-01-23T07:17:13.598Z	DEBUG	Resolving com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.0...
2024-01-23T07:17:13.602Z	DEBUG	Start parent: com.fasterxml.jackson.module:jackson-modules-java8:2.15.0
2024-01-23T07:17:13.602Z	DEBUG	Exit parent: com.fasterxml.jackson.module:jackson-modules-java8:2.15.0
2024-01-23T07:17:13.603Z	DEBUG	Resolving com.fasterxml.jackson.module:jackson-module-parameter-names:2.15.0...
2024-01-23T07:17:13.608Z	DEBUG	Start parent: com.fasterxml.jackson.module:jackson-modules-java8:2.15.0
2024-01-23T07:17:13.608Z	DEBUG	Exit parent: com.fasterxml.jackson.module:jackson-modules-java8:2.15.0
2024-01-23T07:17:13.609Z	DEBUG	Resolving org.apache.tomcat.embed:tomcat-embed-core:10.1.8...
2024-01-23T07:17:13.612Z	DEBUG	Resolving org.apache.tomcat.embed:tomcat-embed-el:10.1.8...
2024-01-23T07:17:13.614Z	DEBUG	Resolving org.apache.tomcat.embed:tomcat-embed-websocket:10.1.8...
2024-01-23T07:17:13.620Z	DEBUG	Resolving io.micrometer:micrometer-observation:1.11.0...
2024-01-23T07:17:13.629Z	DEBUG	Resolving org.springframework:spring-aop:6.0.9...
2024-01-23T07:17:13.632Z	DEBUG	Resolving org.springframework:spring-expression:6.0.9...
2024-01-23T07:17:13.637Z	DEBUG	Resolving org.apache.httpcomponents:httpcore:4.4.16...
2024-01-23T07:17:13.640Z	DEBUG	Start parent: org.apache.httpcomponents:httpcomponents-core:4.4.16
2024-01-23T07:17:13.644Z	DEBUG	Start parent: org.apache.httpcomponents:httpcomponents-parent:11
2024-01-23T07:17:13.644Z	DEBUG	Exit parent: org.apache.httpcomponents:httpcomponents-parent:11
2024-01-23T07:17:13.644Z	DEBUG	Exit parent: org.apache.httpcomponents:httpcomponents-core:4.4.16
2024-01-23T07:17:13.645Z	DEBUG	Resolving commons-codec:commons-codec:1.15...
2024-01-23T07:17:13.649Z	DEBUG	Start parent: org.apache.commons:commons-parent:52
2024-01-23T07:17:13.656Z	DEBUG	Start parent: org.apache:apache:23
2024-01-23T07:17:13.659Z	DEBUG	Exit parent: org.apache:apache:23
2024-01-23T07:17:13.660Z	DEBUG	Exit parent: org.apache.commons:commons-parent:52
2024-01-23T07:17:13.660Z	DEBUG	Resolving org.apache.httpcomponents:httpcore-nio:4.4.16...
2024-01-23T07:17:13.663Z	DEBUG	Start parent: org.apache.httpcomponents:httpcomponents-core:4.4.16
2024-01-23T07:17:13.663Z	DEBUG	Exit parent: org.apache.httpcomponents:httpcomponents-core:4.4.16
2024-01-23T07:17:13.664Z	DEBUG	Resolving ch.qos.logback:logback-classic:1.4.7...
2024-01-23T07:17:13.671Z	DEBUG	Start parent: ch.qos.logback:logback-parent:1.4.7
2024-01-23T07:17:13.675Z	DEBUG	Exit parent: ch.qos.logback:logback-parent:1.4.7
2024-01-23T07:17:13.677Z	DEBUG	Resolving org.apache.logging.log4j:log4j-to-slf4j:2.20.0...
2024-01-23T07:17:13.680Z	DEBUG	Start parent: org.apache.logging.log4j:log4j:2.20.0
2024-01-23T07:17:13.688Z	DEBUG	Start parent: org.apache.logging:logging-parent:7
2024-01-23T07:17:13.688Z	DEBUG	Exit parent: org.apache.logging:logging-parent:7
2024-01-23T07:17:13.688Z	DEBUG	Exit parent: org.apache.logging.log4j:log4j:2.20.0
2024-01-23T07:17:13.689Z	DEBUG	Resolving org.codehaus.groovy:groovy-bom:3.0.14...
2024-01-23T07:17:13.693Z	DEBUG	Resolving com.fasterxml.jackson:jackson-bom:2.14.1...
2024-01-23T07:17:13.697Z	DEBUG	Start parent: com.fasterxml.jackson:jackson-parent:2.14
2024-01-23T07:17:13.700Z	DEBUG	Start parent: com.fasterxml:oss-parent:48
2024-01-23T07:17:13.704Z	DEBUG	Exit parent: com.fasterxml:oss-parent:48
2024-01-23T07:17:13.704Z	DEBUG	Exit parent: com.fasterxml.jackson:jackson-parent:2.14
2024-01-23T07:17:13.705Z	DEBUG	Resolving jakarta.platform:jakarta.jakartaee-bom:9.0.0...
2024-01-23T07:17:13.708Z	DEBUG	Start parent: jakarta.platform:jakartaee-api-parent:9.0.0
2024-01-23T07:17:13.711Z	DEBUG	Start parent: org.eclipse.ee4j:project:1.0.6
2024-01-23T07:17:13.715Z	DEBUG	Exit parent: org.eclipse.ee4j:project:1.0.6
2024-01-23T07:17:13.715Z	DEBUG	Exit parent: jakarta.platform:jakartaee-api-parent:9.0.0
2024-01-23T07:17:13.715Z	DEBUG	Resolving org.eclipse.jetty:jetty-bom:9.4.50.v20221201...
2024-01-23T07:17:13.720Z	DEBUG	Resolving org.junit:junit-bom:5.9.1...
2024-01-23T07:17:13.724Z	DEBUG	Resolving io.fabric8:kubernetes-client-bom:5.12.2...
2024-01-23T07:17:13.737Z	DEBUG	Resolving io.netty:netty-bom:4.1.86.Final...
2024-01-23T07:17:13.741Z	DEBUG	Start parent: org.sonatype.oss:oss-parent:7
2024-01-23T07:17:13.741Z	DEBUG	Exit parent: org.sonatype.oss:oss-parent:7
2024-01-23T07:17:13.741Z	DEBUG	Resolving org.springframework:spring-framework-bom:5.3.24...
2024-01-23T07:17:13.746Z	DEBUG	Resolving org.slf4j:jul-to-slf4j:2.0.7...
2024-01-23T07:17:13.749Z	DEBUG	Start parent: org.slf4j:slf4j-parent:2.0.7
2024-01-23T07:17:13.749Z	DEBUG	Exit parent: org.slf4j:slf4j-parent:2.0.7
2024-01-23T07:17:13.749Z	DEBUG	Resolving org.springframework:spring-jcl:6.0.9...
2024-01-23T07:17:13.760Z	DEBUG	Resolving com.baomidou:mybatis-plus-core:3.5.3.1...
2024-01-23T07:17:13.766Z	DEBUG	Resolving org.mybatis:mybatis-spring:2.0.7...
2024-01-23T07:17:13.770Z	DEBUG	Start parent: org.mybatis:mybatis-parent:33
2024-01-23T07:17:13.774Z	DEBUG	Exit parent: org.mybatis:mybatis-parent:33
2024-01-23T07:17:13.779Z	DEBUG	Resolving org.springframework:spring-tx:6.0.9...
2024-01-23T07:17:13.787Z	DEBUG	Resolving com.fasterxml.jackson.core:jackson-annotations:2.15.0...
2024-01-23T07:17:13.790Z	DEBUG	Start parent: com.fasterxml.jackson:jackson-parent:2.15
2024-01-23T07:17:13.790Z	DEBUG	Exit parent: com.fasterxml.jackson:jackson-parent:2.15
2024-01-23T07:17:13.790Z	DEBUG	Resolving com.fasterxml.jackson.core:jackson-core:2.15.0...
2024-01-23T07:17:13.795Z	DEBUG	Start parent: com.fasterxml.jackson:jackson-base:2.15.0
2024-01-23T07:17:13.795Z	DEBUG	Exit parent: com.fasterxml.jackson:jackson-base:2.15.0
2024-01-23T07:17:13.795Z	DEBUG	Resolving io.micrometer:micrometer-commons:1.11.0...
2024-01-23T07:17:13.800Z	DEBUG	Resolving ch.qos.logback:logback-core:1.4.7...
2024-01-23T07:17:13.803Z	DEBUG	Start parent: ch.qos.logback:logback-parent:1.4.7
2024-01-23T07:17:13.803Z	DEBUG	Exit parent: ch.qos.logback:logback-parent:1.4.7
2024-01-23T07:17:13.804Z	DEBUG	Resolving org.apache.logging.log4j:log4j-api:2.20.0...
2024-01-23T07:17:13.808Z	DEBUG	Start parent: org.apache.logging.log4j:log4j:2.20.0
2024-01-23T07:17:13.808Z	DEBUG	Exit parent: org.apache.logging.log4j:log4j:2.20.0
2024-01-23T07:17:13.813Z	DEBUG	Resolving com.baomidou:mybatis-plus-annotation:3.5.3.1...
2024-01-23T07:17:13.818Z	DEBUG	Resolving com.github.jsqlparser:jsqlparser:4.4...
2024-01-23T07:17:13.825Z	DEBUG	Resolving org.mybatis:mybatis:3.5.10...
2024-01-23T07:17:13.830Z	DEBUG	Start parent: org.mybatis:mybatis-parent:34
2024-01-23T07:17:13.835Z	DEBUG	Exit parent: org.mybatis:mybatis-parent:34
2024-01-23T07:17:13.845Z	DEBUG	OS is not detected.
2024-01-23T07:17:13.845Z	DEBUG	Detected OS: unknown
2024-01-23T07:17:13.845Z	INFO	Number of language-specific files: 1
2024-01-23T07:17:13.845Z	INFO	Detecting pom vulnerabilities...
2024-01-23T07:17:13.845Z	DEBUG	Detecting library vulnerabilities, type: pom, path: pom.xml

pom.xml (pom)

Total: 14 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 7, CRITICAL: 1)

┌───────────────────────────────────────────┬────────────────┬──────────┬──────────┬───────────────────┬─────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                  Library                  │ Vulnerability  │ Severity │  Status  │ Installed Version │            Fixed Version            │                            Title                             │
├───────────────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ch.qos.logback:logback-classic            │ CVE-2023-6378  │ HIGH     │ fixed    │ 1.4.7             │ 1.3.12, 1.4.12, 1.2.13              │ logback: serialization vulnerability in logback receiver     │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-6378                    │
├───────────────────────────────────────────┤                │          │          │                   │                                     │                                                              │
│ ch.qos.logback:logback-core               │                │          │          │                   │                                     │                                                              │
│                                           │                │          │          │                   │                                     │                                                              │
├───────────────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.baomidou:mybatis-plus                 │ CVE-2023-25330 │ CRITICAL │ affected │ 3.5.3.1           │                                     │ MyBatis-Plus vulnerable to SQL injection via TenantPlugin    │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-25330                   │
├───────────────────────────────────────────┼────────────────┼──────────┼──────────┼───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.httpcomponents:httpclient      │ CVE-2020-13956 │ MEDIUM   │ fixed    │ 4.5.2             │ 4.5.13, 5.0.3                       │ incorrect handling of malformed authority component in       │
│                                           │                │          │          │                   │                                     │ request URIs                                                 │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2020-13956                   │
├───────────────────────────────────────────┼────────────────┼──────────┤          ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.tomcat.embed:tomcat-embed-core │ CVE-2023-46589 │ HIGH     │          │ 10.1.8            │ 11.0.0-M11, 10.1.16, 9.0.83, 8.5.96 │ tomcat: HTTP request smuggling via malformed trailer headers │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-46589                   │
│                                           ├────────────────┼──────────┤          │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                           │ CVE-2023-41080 │ MEDIUM   │          │                   │ 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 │ tomcat: Open Redirect vulnerability in FORM authentication   │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-41080                   │
│                                           ├────────────────┤          │          │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                           │ CVE-2023-42795 │          │          │                   │ 11.0.0-M12, 10.1.14, 9.0.81, 8.5.94 │ tomcat: improper cleaning of recycled objects could lead to  │
│                                           │                │          │          │                   │                                     │ information leak                                             │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-42795                   │
│                                           ├────────────────┤          │          │                   │                                     ├──────────────────────────────────────────────────────────────┤
│                                           │ CVE-2023-44487 │          │          │                   │                                     │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                                           │                │          │          │                   │                                     │ to a DDoS attack...                                          │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
│                                           ├────────────────┤          │          │                   │                                     ├──────────────────────────────────────────────────────────────┤
│                                           │ CVE-2023-45648 │          │          │                   │                                     │ tomcat: incorrectly parsed http trailer headers can cause    │
│                                           │                │          │          │                   │                                     │ request smuggling                                            │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-45648                   │
├───────────────────────────────────────────┼────────────────┼──────────┤          ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.json:json                             │ CVE-2022-45688 │ HIGH     │          │ 20160212          │ 20230227                            │ json stack overflow vulnerability                            │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-45688                   │
│                                           ├────────────────┤          │          │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                           │ CVE-2023-5072  │          │          │                   │ 20231013                            │ JSON-java: parser confusion leads to OOM                     │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-5072                    │
├───────────────────────────────────────────┼────────────────┼──────────┤          ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot      │ CVE-2023-34055 │ MEDIUM   │          │ 3.1.0             │ 2.7.18, 3.0.13, 3.1.6               │ spring-boot: org.springframework.boot:spring-boot-actuator   │
│                                           │                │          │          │                   │                                     │ class vulnerable to denial of service                        │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-34055                   │
├───────────────────────────────────────────┼────────────────┼──────────┤          ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-webmvc         │ CVE-2023-34053 │ HIGH     │          │ 6.0.9             │ 6.0.14                              │ springframework: io.micrometer:micrometer-core classpath     │
│                                           │                │          │          │                   │                                     │ vulnerable to denial of service                              │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-34053                   │
├───────────────────────────────────────────┼────────────────┤          │          ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml                        │ CVE-2022-1471  │          │          │ 1.33              │ 2.0                                 │ SnakeYaml: Constructor Deserialization Remote Code Execution │
│                                           │                │          │          │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-1471                    │
└───────────────────────────────────────────┴────────────────┴──────────┴──────────┴───────────────────┴─────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Version

0.48.0

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

Duplicate of #5985