You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
the application uses Spring MVC or Spring WebFlux
io.micrometer:micrometer-core is on the classpath
an ObservationRegistry is configured in the application to record observations
Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.
mend-bolt-for-githubbot
changed the title
spring-boot-starter-data-elasticsearch-3.1.1.jar: 1 vulnerabilities (highest severity is: 5.9)
spring-boot-starter-data-elasticsearch-3.1.1.jar: 2 vulnerabilities (highest severity is: 7.5)
Nov 29, 2023
mend-bolt-for-githubbot
changed the title
spring-boot-starter-data-elasticsearch-3.1.1.jar: 2 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-data-elasticsearch-3.1.1.jar: 3 vulnerabilities (highest severity is: 8.1)
Feb 29, 2024
mend-bolt-for-githubbot
changed the title
spring-boot-starter-data-elasticsearch-3.1.1.jar: 3 vulnerabilities (highest severity is: 8.1)
spring-boot-starter-data-elasticsearch-3.1.1.jar: 4 vulnerabilities (highest severity is: 8.1)
Mar 29, 2024
mend-bolt-for-githubbot
changed the title
spring-boot-starter-data-elasticsearch-3.1.1.jar: 4 vulnerabilities (highest severity is: 8.1)
spring-boot-starter-data-elasticsearch-3.1.1.jar: 5 vulnerabilities (highest severity is: 8.1)
Jun 24, 2024
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.7/spring-web-6.0.7.jar
Found in HEAD commit: 924aa2c29ab21a422a96a7a2e29ae0c459bcce8d
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - spring-web-6.0.7.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.7/spring-web-6.0.7.jar
Dependency Hierarchy:
Found in HEAD commit: 924aa2c29ab21a422a96a7a2e29ae0c459bcce8d
Found in base branch: main
Vulnerability Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-04-16
URL: CVE-2024-22262
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22262
Release Date: 2024-04-16
Fix Resolution (org.springframework:spring-web): 6.0.19
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-elasticsearch): 3.1.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.0.7.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.7/spring-web-6.0.7.jar
Dependency Hierarchy:
Found in HEAD commit: 924aa2c29ab21a422a96a7a2e29ae0c459bcce8d
Found in base branch: main
Vulnerability Details
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Publish Date: 2024-03-16
URL: CVE-2024-22259
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22259
Release Date: 2024-03-16
Fix Resolution (org.springframework:spring-web): 6.0.18
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-elasticsearch): 3.1.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.0.7.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.7/spring-web-6.0.7.jar
Dependency Hierarchy:
Found in HEAD commit: 924aa2c29ab21a422a96a7a2e29ae0c459bcce8d
Found in base branch: main
Vulnerability Details
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Publish Date: 2024-02-23
URL: CVE-2024-22243
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2024-22243
Release Date: 2024-02-23
Fix Resolution (org.springframework:spring-web): 6.0.17
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-elasticsearch): 3.1.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - parsson-1.0.0.jar
Jakarta JSON Processing provider
Library home page: https://github.com/eclipse-ee4j/parsson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/parsson/parsson/1.0.0/parsson-1.0.0.jar
Dependency Hierarchy:
Found in HEAD commit: 924aa2c29ab21a422a96a7a2e29ae0c459bcce8d
Found in base branch: main
Vulnerability Details
In Eclipse Parsson before versions 1.1.4 and 1.0.5, Parsing JSON from untrusted sources can lead malicious actors to exploit the fact that the built-in support for parsing numbers with large scale in Java has a number of edge cases where the input text of a number can lead to much larger processing time than one would expect.
To mitigate the risk, parsson put in place a size limit for the numbers as well as their scale.
Publish Date: 2023-11-03
URL: CVE-2023-4043
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/13
Release Date: 2023-11-03
Fix Resolution (org.eclipse.parsson:parsson): 1.0.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-elasticsearch): 3.3.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-6.0.7.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/6.0.7/spring-web-6.0.7.jar
Dependency Hierarchy:
Found in HEAD commit: 924aa2c29ab21a422a96a7a2e29ae0c459bcce8d
Found in base branch: main
Vulnerability Details
In Spring Framework versions 6.0.0 - 6.0.13, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.
Specifically, an application is vulnerable when all of the following are true:
Typically, Spring Boot applications need the org.springframework.boot:spring-boot-actuator dependency to meet all conditions.
Publish Date: 2023-11-28
URL: CVE-2023-34053
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-34053
Release Date: 2023-11-28
Fix Resolution (org.springframework:spring-web): 6.0.14
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-data-elasticsearch): 3.1.6
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: