Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spring-boot-starter-web-3.3.5.jar: 2 vulnerabilities (highest severity is: 9.8) reachable #7

Open
mend-for-jackfan.us.kg bot opened this issue Dec 17, 2024 · 0 comments
Open

spring-boot-starter-web-3.3.5.jar: 2 vulnerabilities (highest severity is: 9.8) reachable #7

mend-for-jackfan.us.kg bot opened this issue Dec 17, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-jackfan.us.kg
Copy link

mend-for-jackfan.us.kg bot commented Dec 17, 2024
edited
Loading

Vulnerable Library - spring-boot-starter-web-3.3.5.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.31/tomcat-embed-core-10.1.31.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-boot-starter-web version) Remediation Possible** Reachability
CVE-2024-56337 Critical 9.8 tomcat-embed-core-10.1.31.jar Transitive 3.3.7

Reachable
CVE-2024-50379 Critical 9.8 tomcat-embed-core-10.1.31.jar Transitive 3.3.7

Reachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-56337

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.31/tomcat-embed-core-10.1.31.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.3.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.3.5.jar
      • tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.owasp.webgoat.lessons.csrf.CSRFFeedback (Application)
  -> org.apache.catalina.filters.RemoteIpFilter$XForwardedRequest (Extension)
   -> org.apache.coyote.http11.upgrade.UpgradeServletInputStream (Extension)
    -> org.apache.catalina.startup.FailedContext (Extension)
     -> org.apache.catalina.valves.ExtendedAccessLogValve (Extension)
      -> ❌ org.apache.catalina.valves.ExtendedAccessLogValve$ResponseAllHeaderElement (Vulnerable Component)

Vulnerability Details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:

  • running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
  • running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
  • running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
    Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.

Publish Date: 2024-12-20

URL: CVE-2024-56337

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-12-20

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-50379

Vulnerable Library - tomcat-embed-core-10.1.31.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.31/tomcat-embed-core-10.1.31.jar

Dependency Hierarchy:

  • spring-boot-starter-web-3.3.5.jar (Root Library)
    • spring-boot-starter-tomcat-3.3.5.jar
      • tomcat-embed-core-10.1.31.jar (Vulnerable Library)

Found in base branch: main

Reachability Analysis

This vulnerability is potentially reachable

org.owasp.webgoat.lessons.csrf.CSRFFeedback (Application)
  -> jakarta.servlet.http.HttpServletRequestWrapper (Extension)
   -> org.apache.catalina.core.ApplicationPushBuilder (Extension)
    -> org.apache.catalina.authenticator.DigestAuthenticator (Extension)
     -> org.apache.catalina.startup.EngineConfig (Extension)
      -> ❌ org.apache.catalina.webresources.DirResourceSet (Vulnerable Component)

Vulnerability Details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Mend Note: The fix for CVE-2024-50379 was found to be incomplete - users should refer to the follow-up CVE-2024-56337 which fully addresses the issue.

Publish Date: 2024-12-17

URL: CVE-2024-50379

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-11.html

Release Date: 2024-12-17

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Dec 17, 2024
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-boot-starter-web-3.3.5.jar: 1 vulnerabilities (highest severity is: 9.8) spring-boot-starter-web-3.3.5.jar: 1 vulnerabilities (highest severity is: 9.8) reachable Dec 17, 2024
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-boot-starter-web-3.3.5.jar: 1 vulnerabilities (highest severity is: 9.8) reachable spring-boot-starter-web-3.3.5.jar: 2 vulnerabilities (highest severity is: 9.8) reachable Dec 21, 2024
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-boot-starter-web-3.3.5.jar: 2 vulnerabilities (highest severity is: 9.8) reachable spring-boot-starter-web-3.3.5.jar: 3 vulnerabilities (highest severity is: 9.8) reachable Dec 23, 2024
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-boot-starter-web-3.3.5.jar: 3 vulnerabilities (highest severity is: 9.8) reachable spring-boot-starter-web-3.3.5.jar: 2 vulnerabilities (highest severity is: 9.8) reachable Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants