You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.26/5e0fa06ca373ef0ca55e603291ea51b590c377ea/tomcat-embed-core-10.1.26.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.26/5e0fa06ca373ef0ca55e603291ea51b590c377ea/tomcat-embed-core-10.1.26.jar
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.26/5e0fa06ca373ef0ca55e603291ea51b590c377ea/tomcat-embed-core-10.1.26.jar
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.08, which fixes the issue.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.1.11/9ec4c2a5e28bf7b2d60e254e976940b12c8ba32a/spring-webmvc-6.1.11.jar
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
This is similar to CVE-2024-38816, but with different input.
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.1.11/9ec4c2a5e28bf7b2d60e254e976940b12c8ba32a/spring-webmvc-6.1.11.jar
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:
the web application uses RouterFunctions to serve static resources
resource handling is explicitly configured with a FileSystemResource location
However, malicious requests are blocked and rejected when any of the following is true:
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.26/5e0fa06ca373ef0ca55e603291ea51b590c377ea/tomcat-embed-core-10.1.26.jar
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests
could lead to request and/or response mix-up between users.
This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
mend-bolt-for-githubbot
changed the title
spring-boot-starter-web-3.3.2.jar: 1 vulnerabilities (highest severity is: 6.5)
spring-boot-starter-web-3.3.2.jar: 2 vulnerabilities (highest severity is: 7.5)
Sep 17, 2024
mend-bolt-for-githubbot
changed the title
spring-boot-starter-web-3.3.2.jar: 2 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-web-3.3.2.jar: 3 vulnerabilities (highest severity is: 7.5)
Oct 20, 2024
mend-bolt-for-githubbot
changed the title
spring-boot-starter-web-3.3.2.jar: 3 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-web-3.3.2.jar: 2 vulnerabilities (highest severity is: 7.5)
Oct 26, 2024
mend-bolt-for-githubbot
changed the title
spring-boot-starter-web-3.3.2.jar: 2 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-web-3.3.2.jar: 4 vulnerabilities (highest severity is: 7.5)
Nov 18, 2024
mend-bolt-for-githubbot
changed the title
spring-boot-starter-web-3.3.2.jar: 4 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-web-3.3.2.jar: 4 vulnerabilities (highest severity is: 9.8)
Nov 20, 2024
mend-bolt-for-githubbot
changed the title
spring-boot-starter-web-3.3.2.jar: 4 vulnerabilities (highest severity is: 9.8)
spring-boot-starter-web-3.3.2.jar: 5 vulnerabilities (highest severity is: 9.8)
Dec 17, 2024
Vulnerable Library - spring-boot-starter-web-3.3.2.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.26/5e0fa06ca373ef0ca55e603291ea51b590c377ea/tomcat-embed-core-10.1.26.jar
Found in HEAD commit: ec97c69a2b236b5bcf79b627e46e1d42617fc207
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-52316
Vulnerable Library - tomcat-embed-core-10.1.26.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.26/5e0fa06ca373ef0ca55e603291ea51b590c377ea/tomcat-embed-core-10.1.26.jar
Dependency Hierarchy:
Found in HEAD commit: ec97c69a2b236b5bcf79b627e46e1d42617fc207
Found in base branch: main
Vulnerability Details
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52316
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-11-18
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.5
Step up your Open Source Security Game with Mend here
CVE-2024-50379
Vulnerable Library - tomcat-embed-core-10.1.26.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.26/5e0fa06ca373ef0ca55e603291ea51b590c377ea/tomcat-embed-core-10.1.26.jar
Dependency Hierarchy:
Found in HEAD commit: ec97c69a2b236b5bcf79b627e46e1d42617fc207
Found in base branch: main
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.08, which fixes the issue.
Publish Date: 2024-12-17
URL: CVE-2024-50379
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-17
Fix Resolution: org.apache.tomcat:tomcat-catalina:9.0.98,10.1.34,11.0.2, org.apache.tomcat.embed:tomcat-embed-core:9.0.98,10.1.34,11.0.2
Step up your Open Source Security Game with Mend here
CVE-2024-38819
Vulnerable Library - spring-webmvc-6.1.11.jar
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.1.11/9ec4c2a5e28bf7b2d60e254e976940b12c8ba32a/spring-webmvc-6.1.11.jar
Dependency Hierarchy:
Found in HEAD commit: ec97c69a2b236b5bcf79b627e46e1d42617fc207
Found in base branch: main
Vulnerability Details
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
This is similar to CVE-2024-38816, but with different input.
Publish Date: 2024-06-20
URL: CVE-2024-38819
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38819
Release Date: 2024-06-20
Fix Resolution (org.springframework:spring-webmvc): 6.1.14
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.5
Step up your Open Source Security Game with Mend here
CVE-2024-38816
Vulnerable Library - spring-webmvc-6.1.11.jar
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/6.1.11/9ec4c2a5e28bf7b2d60e254e976940b12c8ba32a/spring-webmvc-6.1.11.jar
Dependency Hierarchy:
Found in HEAD commit: ec97c69a2b236b5bcf79b627e46e1d42617fc207
Found in base branch: main
Vulnerability Details
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:
However, malicious requests are blocked and rejected when any of the following is true:
Publish Date: 2024-09-13
URL: CVE-2024-38816
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-38816
Release Date: 2024-09-13
Fix Resolution (org.springframework:spring-webmvc): 6.1.13
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.4
Step up your Open Source Security Game with Mend here
CVE-2024-52317
Vulnerable Library - tomcat-embed-core-10.1.26.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.26/5e0fa06ca373ef0ca55e603291ea51b590c377ea/tomcat-embed-core-10.1.26.jar
Dependency Hierarchy:
Found in HEAD commit: ec97c69a2b236b5bcf79b627e46e1d42617fc207
Found in base branch: main
Vulnerability Details
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests
could lead to request and/or response mix-up between users.
This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.
Publish Date: 2024-11-18
URL: CVE-2024-52317
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-11-18
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.5
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: