spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar: 4 vulnerabilities (highest severity is: 9.8) reachable #6
Description
Vulnerable Library - spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf/2.1.5.RELEASE/thymeleaf-2.1.5.RELEASE.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (spring-boot-starter-thymeleaf version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2016-6814 |  Critical |
9.8 | Not Defined | 3.8% | groovy-2.4.7.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2023-38286 |  High |
7.5 | Not Defined | 1.0% | thymeleaf-2.1.5.RELEASE.jar | Transitive | 3.0.10 | ✅ |
|
| CVE-2020-17521 |  Medium |
5.5 | Not Defined | 0.70000005% | groovy-2.4.7.jar | Transitive | 2.0.0.RELEASE | ✅ |
|
| CVE-2016-3093 | Medium |
5.3 | Not Defined | 5.2999997% | ognl-3.0.8.jar | Transitive | N/A* | ❌ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2016-6814
Vulnerable Library - groovy-2.4.7.jar
Groovy: A powerful, dynamic language for the JVM
Library home page: http://groovy-lang.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/groovy/groovy/2.4.7/groovy-2.4.7.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar (Root Library)
- thymeleaf-layout-dialect-1.4.0.jar
- ❌ groovy-2.4.7.jar (Vulnerable Library)
- thymeleaf-layout-dialect-1.4.0.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.Rce (Application)
-> groovy.lang.GroovyShell (Extension)
-> org.codehaus.groovy.runtime.HandleMetaClass (Extension)
-> org.codehaus.groovy.runtime.dgm$930 (Extension)
-> ❌ org.codehaus.groovy.runtime.MethodClosure (Vulnerable Component)
Vulnerability Details
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Publish Date: 2018-01-18
URL: CVE-2016-6814
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 3.8%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
Release Date: 2018-01-18
Fix Resolution (org.codehaus.groovy:groovy): 2.4.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.0.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-38286
Vulnerable Library - thymeleaf-2.1.5.RELEASE.jar
XML/XHTML/HTML5 template engine for Java
Library home page: http://www.thymeleaf.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/thymeleaf/thymeleaf/2.1.5.RELEASE/thymeleaf-2.1.5.RELEASE.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar (Root Library)
- thymeleaf-spring4-2.1.5.RELEASE.jar
- ❌ thymeleaf-2.1.5.RELEASE.jar (Vulnerable Library)
- thymeleaf-spring4-2.1.5.RELEASE.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.SSRF (Application)
-> cn.hutool.http.HttpUtil (Extension)
-> cn.hutool.core.convert.Convert (Extension)
-> cn.hutool.extra.template.engine.thymeleaf.ThymeleafTemplate$1 (Extension)
...
-> org.thymeleaf.TemplateEngine (Extension)
-> org.thymeleaf.dialect.IExpressionEnhancingDialect (Extension)
-> ❌ org.thymeleaf.standard.processor.attr.StandardSwitchAttrProcessor (Vulnerable Component)
Vulnerability Details
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
Publish Date: 2023-07-14
URL: CVE-2023-38286
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-7gj7-224w-vpr3
Release Date: 2023-07-14
Fix Resolution (org.thymeleaf:thymeleaf): 3.1.2.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 3.0.10
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2020-17521
Vulnerable Library - groovy-2.4.7.jar
Groovy: A powerful, dynamic language for the JVM
Library home page: http://groovy-lang.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/groovy/groovy/2.4.7/groovy-2.4.7.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar (Root Library)
- thymeleaf-layout-dialect-1.4.0.jar
- ❌ groovy-2.4.7.jar (Vulnerable Library)
- thymeleaf-layout-dialect-1.4.0.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.Rce (Application)
-> groovy.lang.GroovyShell (Extension)
-> groovy.lang.ExpandoMetaClass (Extension)
-> org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl (Extension)
-> ❌ org.codehaus.groovy.runtime.DefaultGroovyStaticMethods (Vulnerable Component)
Vulnerability Details
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Publish Date: 2020-12-07
URL: CVE-2020-17521
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.70000005%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/GROOVY-9824
Release Date: 2020-12-07
Fix Resolution (org.codehaus.groovy:groovy): 2.4.21
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-thymeleaf): 2.0.0.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2016-3093
Vulnerable Library - ognl-3.0.8.jar
OGNL - Object Graph Navigation Library
Library home page: http://www.opensymphony.com
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ognl/ognl/3.0.8/ognl-3.0.8.jar
Dependency Hierarchy:
- spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar (Root Library)
- thymeleaf-spring4-2.1.5.RELEASE.jar
- thymeleaf-2.1.5.RELEASE.jar
- ❌ ognl-3.0.8.jar (Vulnerable Library)
- thymeleaf-2.1.5.RELEASE.jar
- thymeleaf-spring4-2.1.5.RELEASE.jar
Found in HEAD commit: bf8704d43c30f97e6b81388a152e3528d45aeacf
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
org.joychou.controller.SSRF (Application)
-> cn.hutool.http.HttpUtil (Extension)
-> cn.hutool.core.convert.Convert (Extension)
-> org.thymeleaf.expression.Conversions (Extension)
...
-> org.thymeleaf.standard.expression.OgnlVariableExpressionEvaluator (Extension)
-> ognl.Ognl (Extension)
-> ❌ ognl.BooleanExpression (Vulnerable Component)
Vulnerability Details
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
Publish Date: 2016-06-07
URL: CVE-2016-3093
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 5.2999997%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-383p-xqxx-rrmp
Release Date: 2016-06-07
Fix Resolution: org.apache.struts:struts2-core:2.3.24.3,ognl:ognl:3.0.12
⛑️Automatic Remediation will be attempted for this issue.