Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spring-boot-starter-test-3.0.2.jar: 10 vulnerabilities (highest severity is: 8.3) #17

Open
mend-for-jackfan.us.kg bot opened this issue Nov 15, 2023 · 0 comments
Open

spring-boot-starter-test-3.0.2.jar: 10 vulnerabilities (highest severity is: 8.3) #17

mend-for-jackfan.us.kg bot opened this issue Nov 15, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-jackfan.us.kg
Copy link

mend-for-jackfan.us.kg bot commented Nov 15, 2023
edited
Loading

Vulnerable Library - spring-boot-starter-test-3.0.2.jar

Path to dependency file: /spring-cloud-alibaba-tests/spring-cloud-alibaba-test-support/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-boot-starter-test version) Remediation Possible** Reachability
CVE-2022-1471 High 8.3 snakeyaml-1.33.jar Transitive 3.2.0
CVE-2023-1370 High 7.5 json-smart-2.4.8.jar Transitive 3.1.0
CVE-2023-6378 High 7.1 logback-classic-1.4.5.jar Transitive 3.0.7
CVE-2024-12798 Medium 6.6 detected in multiple dependencies Transitive 3.0.7
CVE-2023-20863 Medium 6.5 spring-expression-6.0.4.jar Transitive 3.0.7
CVE-2023-20861 Medium 6.5 spring-expression-6.0.4.jar Transitive 3.0.5
CVE-2024-31573 Medium 5.6 xmlunit-core-2.9.1.jar Transitive N/A*
CVE-2023-51074 Medium 5.3 json-path-2.7.0.jar Transitive 3.1.9
CVE-2024-12801 Medium 4.4 logback-core-1.4.5.jar Transitive 3.0.7
CVE-2024-38820 Low 3.1 spring-context-6.0.4.jar Transitive 3.2.11

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (9 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-1471

Vulnerable Library - snakeyaml-1.33.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /spring-cloud-alibaba-tests/nacos-tests/nacos-discovery-test/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar,/home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.33/snakeyaml-1.33.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • spring-boot-starter-3.0.2.jar
      • snakeyaml-1.33.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (8.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution (org.yaml:snakeyaml): 2.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.2.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-1370

Vulnerable Library - json-smart-2.4.8.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: https://urielch.github.io/

Path to dependency file: /spring-cloud-alibaba-tests/spring-cloud-alibaba-test-support/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.4.8/json-smart-2.4.8.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • json-path-2.7.0.jar
      • json-smart-2.4.8.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

Json-smart is a performance focused, JSON processor lib.

When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.

It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Publish Date: 2023-03-13

URL: CVE-2023-1370

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/

Release Date: 2023-03-13

Fix Resolution (net.minidev:json-smart): 2.4.9

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-6378

Vulnerable Library - logback-classic-1.4.5.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /spring-cloud-alibaba-examples/sentinel-example/sentinel-resttemplate-example/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • spring-boot-starter-3.0.2.jar
      • spring-boot-starter-logging-3.0.2.jar
        • logback-classic-1.4.5.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution (ch.qos.logback:logback-classic): 1.4.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.0.7

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-12798

Vulnerable Libraries - logback-classic-1.4.5.jar, logback-core-1.4.5.jar

logback-classic-1.4.5.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /spring-cloud-alibaba-examples/sentinel-example/sentinel-resttemplate-example/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.4.5/logback-classic-1.4.5.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • spring-boot-starter-3.0.2.jar
      • spring-boot-starter-logging-3.0.2.jar
        • logback-classic-1.4.5.jar (Vulnerable Library)

logback-core-1.4.5.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /spring-cloud-alibaba-examples/integrated-example/integrated-storage/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • spring-boot-starter-3.0.2.jar
      • spring-boot-starter-logging-3.0.2.jar
        • logback-classic-1.4.5.jar
          • logback-core-1.4.5.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.

Publish Date: 2024-12-19

URL: CVE-2024-12798

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pr98-23f8-jwxv

Release Date: 2024-12-19

Fix Resolution (ch.qos.logback:logback-classic): 1.5.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.0.7

Fix Resolution (ch.qos.logback:logback-core): 1.5.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.0.7

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-20863

Vulnerable Library - spring-expression-6.0.4.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /spring-cloud-alibaba-examples/rocketmq-example/rocketmq-broadcast-example/rocketmq-broadcast-consumer1-example/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • spring-boot-starter-3.0.2.jar
      • spring-boot-3.0.2.jar
        • spring-context-6.0.4.jar
          • spring-expression-6.0.4.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 6.0.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.0.7

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-20861

Vulnerable Library - spring-expression-6.0.4.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /spring-cloud-alibaba-examples/rocketmq-example/rocketmq-broadcast-example/rocketmq-broadcast-consumer1-example/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/6.0.4/spring-expression-6.0.4.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • spring-boot-starter-3.0.2.jar
      • spring-boot-3.0.2.jar
        • spring-context-6.0.4.jar
          • spring-expression-6.0.4.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 6.0.7

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.0.5

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-31573

Vulnerable Library - xmlunit-core-2.9.1.jar

XMLUnit for Java

Library home page: https://www.xmlunit.org/

Path to dependency file: /spring-cloud-alibaba-tests/spring-cloud-alibaba-test-support/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/xmlunit/xmlunit-core/2.9.1/xmlunit-core-2.9.1.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • xmlunit-core-2.9.1.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

When performing XSLT transformations XMLUnit for Java before 2.10.0 did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.

Publish Date: 2024-12-05

URL: CVE-2024-31573

CVSS 3 Score Details (5.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-chfm-68vv-pvw5

Release Date: 2024-12-05

Fix Resolution: org.xmlunit:xmlunit-core:2.10.0

CVE-2023-51074

Vulnerable Library - json-path-2.7.0.jar

Java port of Stefan Goessner JsonPath.

Library home page: https://github.com/

Path to dependency file: /spring-cloud-alibaba-tests/spring-cloud-alibaba-test-support/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/jayway/jsonpath/json-path/2.7.0/json-path-2.7.0.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • json-path-2.7.0.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.

Publish Date: 2023-12-27

URL: CVE-2023-51074

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-51074

Release Date: 2023-12-27

Fix Resolution (com.jayway.jsonpath:json-path): 2.9.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.1.9

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-12801

Vulnerable Library - logback-core-1.4.5.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /spring-cloud-alibaba-examples/integrated-example/integrated-storage/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.4.5/logback-core-1.4.5.jar

Dependency Hierarchy:

  • spring-boot-starter-test-3.0.2.jar (Root Library)
    • spring-boot-starter-3.0.2.jar
      • spring-boot-starter-logging-3.0.2.jar
        • logback-classic-1.4.5.jar
          • logback-core-1.4.5.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to
forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in  XML configuration files.

Publish Date: 2024-12-19

URL: CVE-2024-12801

CVSS 3 Score Details (4.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6v67-2wr5-gvf4

Release Date: 2024-12-19

Fix Resolution (ch.qos.logback:logback-core): 1.5.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.0.7

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Nov 15, 2023
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-boot-starter-test-3.0.2.jar: 1 vulnerabilities (highest severity is: 7.5) spring-boot-starter-test-3.0.2.jar: 2 vulnerabilities (highest severity is: 7.5) Dec 28, 2023
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-boot-starter-test-3.0.2.jar: 2 vulnerabilities (highest severity is: 7.5) spring-boot-starter-test-3.0.2.jar: 2 vulnerabilities (highest severity is: 7.5) reachable Jan 4, 2024
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-boot-starter-test-3.0.2.jar: 2 vulnerabilities (highest severity is: 7.5) reachable spring-boot-starter-test-3.0.2.jar: 3 vulnerabilities (highest severity is: 7.5) reachable May 8, 2024
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-boot-starter-test-3.0.2.jar: 3 vulnerabilities (highest severity is: 7.5) reachable spring-boot-starter-test-3.0.2.jar: 3 vulnerabilities (highest severity is: 7.5) Oct 1, 2024
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-boot-starter-test-3.0.2.jar: 3 vulnerabilities (highest severity is: 7.5) spring-boot-starter-test-3.0.2.jar: 10 vulnerabilities (highest severity is: 8.3) Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants