Trivy does not detect CVE-2023-20873 #6901

namandf · 2024-06-10T15:14:13Z

namandf
Jun 10, 2024

Description

https://avd.aquasec.com/nvd/2023/cve-2023-20873/

org.springframework.boot:spring-boot-autoconfigure , 2.3.12.RELEASE is known to have a vulnerability CVE-2023-20873,but trivy does not detect it. Only CVE-2023-20883 is currently being reported.

Even the aqua sec db has the start version as *
https://avd.aquasec.com/nvd/2023/cve-2023-20873/

Desired Behavior

CVE-2023-20873 should have been reported in the scan results

Actual Behavior

CVE-2023-20873 not reported in the scan results

Reproduction Steps

1.created a pom.xml with org.springframework.boot:spring-boot-autoconfigure , 2.3.12.RELEASE

<!-- pom.xml -->
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
                             http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.example</groupId>
    <artifactId>spring-boot-actuator-example</artifactId>
    <version>1.0.0</version>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.3.12.RELEASE</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>

    <dependencies>
        <!-- Spring Boot Web -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <!-- Spring Boot Actuator -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-actuator-autoconfigure</artifactId>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>
</project>

2.Perform a filesystem scan
...



### Target

Filesystem

### Scanner

Vulnerability

### Output Format

Table

### Mode

Standalone

### Debug Output

```bash
2024-06-10T20:42:22.743+0530	DEBUG	DB Schema: 2, UpdatedAt: 2024-06-10 12:13:28.957657425 +0000 UTC, NextUpdate: 2024-06-10 18:13:28.957657255 +0000 UTC, DownloadedAt: 2024-06-10 15:06:00.666257 +0000 UTC
2024-06-10T20:42:22.744+0530	INFO	Vulnerability scanning is enabled
2024-06-10T20:42:22.744+0530	DEBUG	Vulnerability type:  [os library]
2024-06-10T20:42:22.744+0530	INFO	Secret scanning is enabled
2024-06-10T20:42:22.744+0530	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-10T20:42:22.744+0530	INFO	Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-06-10T20:42:22.744+0530	DEBUG	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-06-10T20:42:22.744+0530	DEBUG	No secret config detected: trivy-secret.yaml
2024-06-10T20:42:22.744+0530	DEBUG	The nuget packages directory couldn't be found. License search disabled
2024-06-10T20:42:22.745+0530	DEBUG	Walk the file tree rooted at '.' in parallel
2024-06-10T20:42:22.747+0530	DEBUG	Start parent: org.springframework.boot:spring-boot-starter-parent:2.3.12.RELEASE
2024-06-10T20:42:23.110+0530	DEBUG	Start parent: org.springframework.boot:spring-boot-dependencies:2.3.12.RELEASE
2024-06-10T20:42:23.188+0530	DEBUG	Exit parent: org.springframework.boot:spring-boot-dependencies:2.3.12.RELEASE
2024-06-10T20:42:23.189+0530	DEBUG	Exit parent: org.springframework.boot:spring-boot-starter-parent:2.3.12.RELEASE
2024-06-10T20:42:23.191+0530	DEBUG	Resolving com.datastax.oss:java-driver-bom:4.6.1...
2024-06-10T20:42:23.206+0530	DEBUG	Resolving io.dropwizard.metrics:metrics-bom:4.1.22...
2024-06-10T20:42:23.225+0530	DEBUG	Start parent: io.dropwizard.metrics:metrics-parent:4.1.22
2024-06-10T20:42:23.249+0530	DEBUG	Exit parent: io.dropwizard.metrics:metrics-parent:4.1.22
2024-06-10T20:42:23.249+0530	DEBUG	Resolving org.codehaus.groovy:groovy-bom:2.5.14...
2024-06-10T20:42:23.278+0530	DEBUG	Resolving com.fasterxml.jackson:jackson-bom:2.11.4...
2024-06-10T20:42:23.298+0530	DEBUG	Adding repository sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots
2024-06-10T20:42:23.298+0530	DEBUG	Start parent: com.fasterxml.jackson:jackson-parent:2.11
2024-06-10T20:42:24.618+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/jackson-parent/2.11/jackson-parent-2.11.pom
2024-06-10T20:42:24.763+0530	DEBUG	Adding repository sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots
2024-06-10T20:42:24.763+0530	DEBUG	Start parent: com.fasterxml:oss-parent:38
2024-06-10T20:42:25.021+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/oss-parent/38/oss-parent-38.pom
2024-06-10T20:42:25.305+0530	DEBUG	Adding repository sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots
2024-06-10T20:42:25.305+0530	DEBUG	Exit parent: com.fasterxml:oss-parent:38
2024-06-10T20:42:25.305+0530	DEBUG	Exit parent: com.fasterxml.jackson:jackson-parent:2.11
2024-06-10T20:42:25.306+0530	DEBUG	Resolving org.glassfish.jersey:jersey-bom:2.30.1...
2024-06-10T20:42:25.564+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/glassfish/jersey/jersey-bom/2.30.1/jersey-bom-2.30.1.pom
2024-06-10T20:42:25.595+0530	DEBUG	Start parent: org.eclipse.ee4j:project:1.0.5
2024-06-10T20:42:25.850+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/eclipse/ee4j/project/1.0.5/project-1.0.5.pom
2024-06-10T20:42:25.866+0530	DEBUG	Exit parent: org.eclipse.ee4j:project:1.0.5
2024-06-10T20:42:25.867+0530	DEBUG	Resolving org.eclipse.jetty:jetty-bom:9.4.42.v20210604...
2024-06-10T20:42:26.120+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/eclipse/jetty/jetty-bom/9.4.42.v20210604/jetty-bom-9.4.42.v20210604.pom
2024-06-10T20:42:26.146+0530	DEBUG	Resolving org.junit:junit-bom:5.6.3...
2024-06-10T20:42:26.396+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/junit/junit-bom/5.6.3/junit-bom-5.6.3.pom
2024-06-10T20:42:26.413+0530	DEBUG	Resolving org.jetbrains.kotlin:kotlin-bom:1.3.72...
2024-06-10T20:42:26.665+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/jetbrains/kotlin/kotlin-bom/1.3.72/kotlin-bom-1.3.72.pom
2024-06-10T20:42:26.683+0530	DEBUG	Resolving org.jetbrains.kotlinx:kotlinx-coroutines-bom:1.3.8...
2024-06-10T20:42:26.938+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/jetbrains/kotlinx/kotlinx-coroutines-bom/1.3.8/kotlinx-coroutines-bom-1.3.8.pom
2024-06-10T20:42:26.952+0530	DEBUG	Resolving org.apache.logging.log4j:log4j-bom:2.13.3...
2024-06-10T20:42:27.212+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/apache/logging/log4j/log4j-bom/2.13.3/log4j-bom-2.13.3.pom
2024-06-10T20:42:27.228+0530	DEBUG	Start parent: org.apache.logging:logging-parent:1
2024-06-10T20:42:27.482+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/apache/logging/logging-parent/1/logging-parent-1.pom
2024-06-10T20:42:27.498+0530	DEBUG	Start parent: org.apache:apache:18
2024-06-10T20:42:27.748+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/apache/apache/18/apache-18.pom
2024-06-10T20:42:27.773+0530	DEBUG	Adding repository apache.snapshots: https://repository.apache.org/snapshots
2024-06-10T20:42:27.773+0530	DEBUG	Exit parent: org.apache:apache:18
2024-06-10T20:42:27.773+0530	DEBUG	Exit parent: org.apache.logging:logging-parent:1
2024-06-10T20:42:27.774+0530	DEBUG	Resolving io.micrometer:micrometer-bom:1.5.14...
2024-06-10T20:42:28.319+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/io/micrometer/micrometer-bom/1.5.14/micrometer-bom-1.5.14.pom
2024-06-10T20:42:28.574+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/io/micrometer/micrometer-bom/1.5.14/micrometer-bom-1.5.14.pom
2024-06-10T20:42:28.591+0530	DEBUG	Resolving io.netty:netty-bom:4.1.65.Final...
2024-06-10T20:42:29.131+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/io/netty/netty-bom/4.1.65.Final/netty-bom-4.1.65.Final.pom
2024-06-10T20:42:29.384+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/io/netty/netty-bom/4.1.65.Final/netty-bom-4.1.65.Final.pom
2024-06-10T20:42:29.407+0530	DEBUG	Start parent: org.sonatype.oss:oss-parent:7
2024-06-10T20:42:29.953+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
2024-06-10T20:42:30.204+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/sonatype/oss/oss-parent/7/oss-parent-7.pom
2024-06-10T20:42:30.221+0530	DEBUG	Adding repository sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots
2024-06-10T20:42:30.222+0530	DEBUG	Exit parent: org.sonatype.oss:oss-parent:7
2024-06-10T20:42:30.222+0530	DEBUG	Resolving io.r2dbc:r2dbc-bom:Arabba-SR10...
2024-06-10T20:42:30.476+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/io/r2dbc/r2dbc-bom/Arabba-SR10/r2dbc-bom-Arabba-SR10.pom
2024-06-10T20:42:31.001+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/io/r2dbc/r2dbc-bom/Arabba-SR10/r2dbc-bom-Arabba-SR10.pom
2024-06-10T20:42:31.017+0530	DEBUG	Resolving io.projectreactor:reactor-bom:Dysprosium-SR20...
2024-06-10T20:42:31.269+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/io/projectreactor/reactor-bom/Dysprosium-SR20/reactor-bom-Dysprosium-SR20.pom
2024-06-10T20:42:31.797+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/io/projectreactor/reactor-bom/Dysprosium-SR20/reactor-bom-Dysprosium-SR20.pom
2024-06-10T20:42:31.812+0530	DEBUG	Resolving io.rsocket:rsocket-bom:1.0.5...
2024-06-10T20:42:32.065+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/io/rsocket/rsocket-bom/1.0.5/rsocket-bom-1.0.5.pom
2024-06-10T20:42:32.599+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/io/rsocket/rsocket-bom/1.0.5/rsocket-bom-1.0.5.pom
2024-06-10T20:42:32.615+0530	DEBUG	Resolving org.springframework.data:spring-data-releasetrain:Neumann-SR9...
2024-06-10T20:42:32.900+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/data/spring-data-releasetrain/Neumann-SR9/spring-data-releasetrain-Neumann-SR9.pom
2024-06-10T20:42:33.420+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/data/spring-data-releasetrain/Neumann-SR9/spring-data-releasetrain-Neumann-SR9.pom
2024-06-10T20:42:33.435+0530	DEBUG	Start parent: org.springframework.data.build:spring-data-build:2.3.9.RELEASE
2024-06-10T20:42:33.688+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/data/build/spring-data-build/2.3.9.RELEASE/spring-data-build-2.3.9.RELEASE.pom
2024-06-10T20:42:34.220+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/data/build/spring-data-build/2.3.9.RELEASE/spring-data-build-2.3.9.RELEASE.pom
2024-06-10T20:42:34.237+0530	DEBUG	Exit parent: org.springframework.data.build:spring-data-build:2.3.9.RELEASE
2024-06-10T20:42:34.238+0530	DEBUG	Resolving org.springframework:spring-framework-bom:5.2.15.RELEASE...
2024-06-10T20:42:34.492+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/spring-framework-bom/5.2.15.RELEASE/spring-framework-bom-5.2.15.RELEASE.pom
2024-06-10T20:42:35.049+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/spring-framework-bom/5.2.15.RELEASE/spring-framework-bom-5.2.15.RELEASE.pom
2024-06-10T20:42:35.064+0530	DEBUG	Resolving org.springframework.integration:spring-integration-bom:5.3.8.RELEASE...
2024-06-10T20:42:35.317+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/integration/spring-integration-bom/5.3.8.RELEASE/spring-integration-bom-5.3.8.RELEASE.pom
2024-06-10T20:42:35.870+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/integration/spring-integration-bom/5.3.8.RELEASE/spring-integration-bom-5.3.8.RELEASE.pom
2024-06-10T20:42:35.891+0530	DEBUG	Resolving org.springframework.security:spring-security-bom:5.3.9.RELEASE...
2024-06-10T20:42:36.144+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/security/spring-security-bom/5.3.9.RELEASE/spring-security-bom-5.3.9.RELEASE.pom
2024-06-10T20:42:36.679+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/security/spring-security-bom/5.3.9.RELEASE/spring-security-bom-5.3.9.RELEASE.pom
2024-06-10T20:42:36.701+0530	DEBUG	Resolving org.springframework.session:spring-session-bom:Dragonfruit-SR3...
2024-06-10T20:42:36.952+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/session/spring-session-bom/Dragonfruit-SR3/spring-session-bom-Dragonfruit-SR3.pom
2024-06-10T20:42:37.465+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/session/spring-session-bom/Dragonfruit-SR3/spring-session-bom-Dragonfruit-SR3.pom
2024-06-10T20:42:37.496+0530	DEBUG	Resolving org.springframework.boot:spring-boot-starter-web:2.3.12.RELEASE...
2024-06-10T20:42:37.761+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/boot/spring-boot-starter-web/2.3.12.RELEASE/spring-boot-starter-web-2.3.12.RELEASE.pom
2024-06-10T20:42:38.274+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/boot/spring-boot-starter-web/2.3.12.RELEASE/spring-boot-starter-web-2.3.12.RELEASE.pom
2024-06-10T20:42:38.291+0530	DEBUG	Resolving org.springframework.boot:spring-boot-actuator-autoconfigure:2.3.12.RELEASE...
2024-06-10T20:42:38.544+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/boot/spring-boot-actuator-autoconfigure/2.3.12.RELEASE/spring-boot-actuator-autoconfigure-2.3.12.RELEASE.pom
2024-06-10T20:42:39.086+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/boot/spring-boot-actuator-autoconfigure/2.3.12.RELEASE/spring-boot-actuator-autoconfigure-2.3.12.RELEASE.pom
2024-06-10T20:42:39.101+0530	DEBUG	Resolving org.springframework.boot:spring-boot-starter:2.3.12.RELEASE...
2024-06-10T20:42:39.352+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/boot/spring-boot-starter/2.3.12.RELEASE/spring-boot-starter-2.3.12.RELEASE.pom
2024-06-10T20:42:40.054+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/boot/spring-boot-starter/2.3.12.RELEASE/spring-boot-starter-2.3.12.RELEASE.pom
2024-06-10T20:42:40.073+0530	DEBUG	Resolving org.springframework.boot:spring-boot-starter-json:2.3.12.RELEASE...
2024-06-10T20:42:40.325+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/boot/spring-boot-starter-json/2.3.12.RELEASE/spring-boot-starter-json-2.3.12.RELEASE.pom
2024-06-10T20:42:40.896+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/boot/spring-boot-starter-json/2.3.12.RELEASE/spring-boot-starter-json-2.3.12.RELEASE.pom
2024-06-10T20:42:40.926+0530	DEBUG	Resolving org.springframework.boot:spring-boot-starter-tomcat:2.3.12.RELEASE...
2024-06-10T20:42:41.180+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/boot/spring-boot-starter-tomcat/2.3.12.RELEASE/spring-boot-starter-tomcat-2.3.12.RELEASE.pom
2024-06-10T20:42:41.727+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/boot/spring-boot-starter-tomcat/2.3.12.RELEASE/spring-boot-starter-tomcat-2.3.12.RELEASE.pom
2024-06-10T20:42:41.755+0530	DEBUG	Resolving org.springframework:spring-web:5.2.15.RELEASE...
2024-06-10T20:42:42.032+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/spring-web/5.2.15.RELEASE/spring-web-5.2.15.RELEASE.pom
2024-06-10T20:42:43.961+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/spring-web/5.2.15.RELEASE/spring-web-5.2.15.RELEASE.pom
2024-06-10T20:42:43.991+0530	DEBUG	Resolving org.springframework:spring-webmvc:5.2.15.RELEASE...
2024-06-10T20:42:44.279+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/spring-webmvc/5.2.15.RELEASE/spring-webmvc-5.2.15.RELEASE.pom
2024-06-10T20:42:44.847+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/spring-webmvc/5.2.15.RELEASE/spring-webmvc-5.2.15.RELEASE.pom
2024-06-10T20:42:44.888+0530	DEBUG	Resolving org.springframework.boot:spring-boot-actuator:2.3.12.RELEASE...
2024-06-10T20:42:45.147+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/boot/spring-boot-actuator/2.3.12.RELEASE/spring-boot-actuator-2.3.12.RELEASE.pom
2024-06-10T20:42:45.660+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/boot/spring-boot-actuator/2.3.12.RELEASE/spring-boot-actuator-2.3.12.RELEASE.pom
2024-06-10T20:42:45.704+0530	DEBUG	Resolving org.springframework.boot:spring-boot:2.3.12.RELEASE...
2024-06-10T20:42:45.957+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/boot/spring-boot/2.3.12.RELEASE/spring-boot-2.3.12.RELEASE.pom
2024-06-10T20:42:46.459+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/boot/spring-boot/2.3.12.RELEASE/spring-boot-2.3.12.RELEASE.pom
2024-06-10T20:42:46.474+0530	DEBUG	Resolving org.springframework.boot:spring-boot-autoconfigure:2.3.12.RELEASE...
2024-06-10T20:42:46.729+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/boot/spring-boot-autoconfigure/2.3.12.RELEASE/spring-boot-autoconfigure-2.3.12.RELEASE.pom
2024-06-10T20:42:47.227+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/boot/spring-boot-autoconfigure/2.3.12.RELEASE/spring-boot-autoconfigure-2.3.12.RELEASE.pom
2024-06-10T20:42:47.248+0530	DEBUG	Resolving com.fasterxml.jackson.core:jackson-databind:2.11.4...
2024-06-10T20:42:47.501+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-databind/2.11.4/jackson-databind-2.11.4.pom
2024-06-10T20:42:48.009+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/com/fasterxml/jackson/core/jackson-databind/2.11.4/jackson-databind-2.11.4.pom
2024-06-10T20:42:48.031+0530	DEBUG	Adding repository sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots
2024-06-10T20:42:48.031+0530	DEBUG	Start parent: com.fasterxml.jackson:jackson-base:2.11.4
2024-06-10T20:42:48.284+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/jackson-base/2.11.4/jackson-base-2.11.4.pom
2024-06-10T20:42:48.814+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/com/fasterxml/jackson/jackson-base/2.11.4/jackson-base-2.11.4.pom
2024-06-10T20:42:48.833+0530	DEBUG	Start parent: com.fasterxml.jackson:jackson-bom:2.11.4
2024-06-10T20:42:48.833+0530	DEBUG	Exit parent: com.fasterxml.jackson:jackson-bom:2.11.4
2024-06-10T20:42:48.834+0530	DEBUG	Exit parent: com.fasterxml.jackson:jackson-base:2.11.4
2024-06-10T20:42:48.836+0530	DEBUG	Resolving com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.11.4...
2024-06-10T20:42:49.093+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.11.4/jackson-datatype-jsr310-2.11.4.pom
2024-06-10T20:42:49.595+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.11.4/jackson-datatype-jsr310-2.11.4.pom
2024-06-10T20:42:49.614+0530	DEBUG	Start parent: com.fasterxml.jackson.module:jackson-modules-java8:2.11.4
2024-06-10T20:42:49.864+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/module/jackson-modules-java8/2.11.4/jackson-modules-java8-2.11.4.pom
2024-06-10T20:42:50.411+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/com/fasterxml/jackson/module/jackson-modules-java8/2.11.4/jackson-modules-java8-2.11.4.pom
2024-06-10T20:42:50.427+0530	DEBUG	Adding repository sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots
2024-06-10T20:42:50.427+0530	DEBUG	Start parent: com.fasterxml.jackson:jackson-base:2.11.4
2024-06-10T20:42:50.427+0530	DEBUG	Exit parent: com.fasterxml.jackson:jackson-base:2.11.4
2024-06-10T20:42:50.427+0530	DEBUG	Exit parent: com.fasterxml.jackson.module:jackson-modules-java8:2.11.4
2024-06-10T20:42:50.427+0530	DEBUG	Resolving org.springframework.boot:spring-boot-starter-logging:2.3.12.RELEASE...
2024-06-10T20:42:50.681+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/boot/spring-boot-starter-logging/2.3.12.RELEASE/spring-boot-starter-logging-2.3.12.RELEASE.pom
2024-06-10T20:42:51.236+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/boot/spring-boot-starter-logging/2.3.12.RELEASE/spring-boot-starter-logging-2.3.12.RELEASE.pom
2024-06-10T20:42:51.269+0530	DEBUG	Resolving jakarta.annotation:jakarta.annotation-api:1.3.5...
2024-06-10T20:42:51.524+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.pom
2024-06-10T20:42:52.155+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.pom
2024-06-10T20:42:52.178+0530	DEBUG	Start parent: jakarta.annotation:ca-parent:1.3.5
2024-06-10T20:42:52.436+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/jakarta/annotation/ca-parent/1.3.5/ca-parent-1.3.5.pom
2024-06-10T20:42:53.041+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/jakarta/annotation/ca-parent/1.3.5/ca-parent-1.3.5.pom
2024-06-10T20:42:53.062+0530	DEBUG	Start parent: org.eclipse.ee4j:project:1.0.5
2024-06-10T20:42:53.062+0530	DEBUG	Exit parent: org.eclipse.ee4j:project:1.0.5
2024-06-10T20:42:53.062+0530	DEBUG	Exit parent: jakarta.annotation:ca-parent:1.3.5
2024-06-10T20:42:53.062+0530	DEBUG	Resolving org.springframework:spring-core:5.2.15.RELEASE...
2024-06-10T20:42:53.320+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/spring-core/5.2.15.RELEASE/spring-core-5.2.15.RELEASE.pom
2024-06-10T20:42:53.830+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/spring-core/5.2.15.RELEASE/spring-core-5.2.15.RELEASE.pom
2024-06-10T20:42:53.935+0530	DEBUG	Resolving org.yaml:snakeyaml:1.26...
2024-06-10T20:42:54.221+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/yaml/snakeyaml/1.26/snakeyaml-1.26.pom
2024-06-10T20:42:54.800+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/yaml/snakeyaml/1.26/snakeyaml-1.26.pom
2024-06-10T20:42:54.847+0530	DEBUG	Resolving com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.11.4...
2024-06-10T20:42:55.130+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.11.4/jackson-datatype-jdk8-2.11.4.pom
2024-06-10T20:42:55.686+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/com/fasterxml/jackson/datatype/jackson-datatype-jdk8/2.11.4/jackson-datatype-jdk8-2.11.4.pom
2024-06-10T20:42:55.715+0530	DEBUG	Start parent: com.fasterxml.jackson.module:jackson-modules-java8:2.11.4
2024-06-10T20:42:55.715+0530	DEBUG	Exit parent: com.fasterxml.jackson.module:jackson-modules-java8:2.11.4
2024-06-10T20:42:55.715+0530	DEBUG	Resolving com.fasterxml.jackson.module:jackson-module-parameter-names:2.11.4...
2024-06-10T20:42:55.972+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/module/jackson-module-parameter-names/2.11.4/jackson-module-parameter-names-2.11.4.pom
2024-06-10T20:42:56.560+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/com/fasterxml/jackson/module/jackson-module-parameter-names/2.11.4/jackson-module-parameter-names-2.11.4.pom
2024-06-10T20:42:56.579+0530	DEBUG	Start parent: com.fasterxml.jackson.module:jackson-modules-java8:2.11.4
2024-06-10T20:42:56.579+0530	DEBUG	Exit parent: com.fasterxml.jackson.module:jackson-modules-java8:2.11.4
2024-06-10T20:42:56.580+0530	DEBUG	Resolving org.apache.tomcat.embed:tomcat-embed-core:9.0.46...
2024-06-10T20:42:56.836+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.pom
2024-06-10T20:42:57.356+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/apache/tomcat/embed/tomcat-embed-core/9.0.46/tomcat-embed-core-9.0.46.pom
2024-06-10T20:42:57.380+0530	DEBUG	Resolving org.glassfish:jakarta.el:3.0.3...
2024-06-10T20:42:57.637+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.pom
2024-06-10T20:42:58.215+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.pom
2024-06-10T20:42:58.249+0530	DEBUG	Start parent: org.eclipse.ee4j:project:1.0.5
2024-06-10T20:42:58.249+0530	DEBUG	Exit parent: org.eclipse.ee4j:project:1.0.5
2024-06-10T20:42:58.250+0530	DEBUG	Resolving org.apache.tomcat.embed:tomcat-embed-websocket:9.0.46...
2024-06-10T20:42:58.532+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/apache/tomcat/embed/tomcat-embed-websocket/9.0.46/tomcat-embed-websocket-9.0.46.pom
2024-06-10T20:42:59.139+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/apache/tomcat/embed/tomcat-embed-websocket/9.0.46/tomcat-embed-websocket-9.0.46.pom
2024-06-10T20:42:59.157+0530	DEBUG	Resolving org.springframework:spring-beans:5.2.15.RELEASE...
2024-06-10T20:42:59.409+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/spring-beans/5.2.15.RELEASE/spring-beans-5.2.15.RELEASE.pom
2024-06-10T20:42:59.910+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/spring-beans/5.2.15.RELEASE/spring-beans-5.2.15.RELEASE.pom
2024-06-10T20:42:59.929+0530	DEBUG	Resolving org.springframework:spring-aop:5.2.15.RELEASE...
2024-06-10T20:43:00.184+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/spring-aop/5.2.15.RELEASE/spring-aop-5.2.15.RELEASE.pom
2024-06-10T20:43:00.689+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/spring-aop/5.2.15.RELEASE/spring-aop-5.2.15.RELEASE.pom
2024-06-10T20:43:00.706+0530	DEBUG	Resolving org.springframework:spring-context:5.2.15.RELEASE...
2024-06-10T20:43:00.969+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/spring-context/5.2.15.RELEASE/spring-context-5.2.15.RELEASE.pom
2024-06-10T20:43:01.582+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/spring-context/5.2.15.RELEASE/spring-context-5.2.15.RELEASE.pom
2024-06-10T20:43:01.599+0530	DEBUG	Resolving org.springframework:spring-expression:5.2.15.RELEASE...
2024-06-10T20:43:01.995+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/spring-expression/5.2.15.RELEASE/spring-expression-5.2.15.RELEASE.pom
2024-06-10T20:43:02.551+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/spring-expression/5.2.15.RELEASE/spring-expression-5.2.15.RELEASE.pom
2024-06-10T20:43:02.565+0530	DEBUG	Resolving com.fasterxml.jackson.core:jackson-annotations:2.11.4...
2024-06-10T20:43:02.820+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.11.4/jackson-annotations-2.11.4.pom
2024-06-10T20:43:03.358+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/com/fasterxml/jackson/core/jackson-annotations/2.11.4/jackson-annotations-2.11.4.pom
2024-06-10T20:43:03.377+0530	DEBUG	Start parent: com.fasterxml.jackson:jackson-parent:2.11
2024-06-10T20:43:03.377+0530	DEBUG	Exit parent: com.fasterxml.jackson:jackson-parent:2.11
2024-06-10T20:43:03.377+0530	DEBUG	Resolving com.fasterxml.jackson.core:jackson-core:2.11.4...
2024-06-10T20:43:03.659+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/com/fasterxml/jackson/core/jackson-core/2.11.4/jackson-core-2.11.4.pom
2024-06-10T20:43:04.248+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/com/fasterxml/jackson/core/jackson-core/2.11.4/jackson-core-2.11.4.pom
2024-06-10T20:43:04.290+0530	DEBUG	Adding repository sonatype-nexus-snapshots: https://oss.sonatype.org/content/repositories/snapshots
2024-06-10T20:43:04.290+0530	DEBUG	Start parent: com.fasterxml.jackson:jackson-base:2.11.4
2024-06-10T20:43:04.290+0530	DEBUG	Exit parent: com.fasterxml.jackson:jackson-base:2.11.4
2024-06-10T20:43:04.290+0530	DEBUG	Resolving ch.qos.logback:logback-classic:1.2.3...
2024-06-10T20:43:04.561+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.pom
2024-06-10T20:43:05.099+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.pom
2024-06-10T20:43:05.121+0530	DEBUG	Start parent: ch.qos.logback:logback-parent:1.2.3
2024-06-10T20:43:05.372+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/ch/qos/logback/logback-parent/1.2.3/logback-parent-1.2.3.pom
2024-06-10T20:43:06.304+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/ch/qos/logback/logback-parent/1.2.3/logback-parent-1.2.3.pom
2024-06-10T20:43:06.325+0530	DEBUG	Exit parent: ch.qos.logback:logback-parent:1.2.3
2024-06-10T20:43:06.327+0530	DEBUG	Resolving org.apache.logging.log4j:log4j-to-slf4j:2.13.3...
2024-06-10T20:43:06.682+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/apache/logging/log4j/log4j-to-slf4j/2.13.3/log4j-to-slf4j-2.13.3.pom
2024-06-10T20:43:07.232+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/apache/logging/log4j/log4j-to-slf4j/2.13.3/log4j-to-slf4j-2.13.3.pom
2024-06-10T20:43:07.249+0530	DEBUG	Start parent: org.apache.logging.log4j:log4j:2.13.3
2024-06-10T20:43:07.500+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/apache/logging/log4j/log4j/2.13.3/log4j-2.13.3.pom
2024-06-10T20:43:08.012+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/apache/logging/log4j/log4j/2.13.3/log4j-2.13.3.pom
2024-06-10T20:43:08.065+0530	DEBUG	Start parent: org.apache:apache:21
2024-06-10T20:43:08.317+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/apache/apache/21/apache-21.pom
2024-06-10T20:43:08.848+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/apache/apache/21/apache-21.pom
2024-06-10T20:43:08.872+0530	DEBUG	Adding repository apache.snapshots: https://repository.apache.org/snapshots
2024-06-10T20:43:08.872+0530	DEBUG	Exit parent: org.apache:apache:21
2024-06-10T20:43:08.872+0530	DEBUG	Exit parent: org.apache.logging.log4j:log4j:2.13.3
2024-06-10T20:43:08.873+0530	DEBUG	Resolving org.slf4j:jul-to-slf4j:1.7.30...
2024-06-10T20:43:09.398+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/slf4j/jul-to-slf4j/1.7.30/jul-to-slf4j-1.7.30.pom
2024-06-10T20:43:09.657+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/slf4j/jul-to-slf4j/1.7.30/jul-to-slf4j-1.7.30.pom
2024-06-10T20:43:09.672+0530	DEBUG	Start parent: org.slf4j:slf4j-parent:1.7.30
2024-06-10T20:43:10.201+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/slf4j/slf4j-parent/1.7.30/slf4j-parent-1.7.30.pom
2024-06-10T20:43:10.458+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/slf4j/slf4j-parent/1.7.30/slf4j-parent-1.7.30.pom
2024-06-10T20:43:11.263+0530	DEBUG	Exit parent: org.slf4j:slf4j-parent:1.7.30
2024-06-10T20:43:11.263+0530	DEBUG	Resolving org.springframework:spring-jcl:5.2.15.RELEASE...
2024-06-10T20:43:11.773+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/springframework/spring-jcl/5.2.15.RELEASE/spring-jcl-5.2.15.RELEASE.pom
2024-06-10T20:43:12.025+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/springframework/spring-jcl/5.2.15.RELEASE/spring-jcl-5.2.15.RELEASE.pom
2024-06-10T20:43:12.038+0530	DEBUG	Resolving ch.qos.logback:logback-core:1.2.3...
2024-06-10T20:43:12.565+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.pom
2024-06-10T20:43:12.818+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.pom
2024-06-10T20:43:12.847+0530	DEBUG	Start parent: ch.qos.logback:logback-parent:1.2.3
2024-06-10T20:43:12.847+0530	DEBUG	Exit parent: ch.qos.logback:logback-parent:1.2.3
2024-06-10T20:43:12.848+0530	DEBUG	Resolving org.slf4j:slf4j-api:1.7.30...
2024-06-10T20:43:13.383+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/slf4j/slf4j-api/1.7.30/slf4j-api-1.7.30.pom
2024-06-10T20:43:13.637+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/slf4j/slf4j-api/1.7.30/slf4j-api-1.7.30.pom
2024-06-10T20:43:13.655+0530	DEBUG	Start parent: org.slf4j:slf4j-parent:1.7.30
2024-06-10T20:43:13.655+0530	DEBUG	Exit parent: org.slf4j:slf4j-parent:1.7.30
2024-06-10T20:43:13.656+0530	DEBUG	Resolving org.apache.logging.log4j:log4j-api:2.13.3...
2024-06-10T20:43:14.176+0530	DEBUG	Failed to fetch from repository.apache.org/snapshots/org/apache/logging/log4j/log4j-api/2.13.3/log4j-api-2.13.3.pom
2024-06-10T20:43:14.428+0530	DEBUG	Failed to fetch from oss.sonatype.org/content/repositories/snapshots/org/apache/logging/log4j/log4j-api/2.13.3/log4j-api-2.13.3.pom
2024-06-10T20:43:14.462+0530	DEBUG	Start parent: org.apache.logging.log4j:log4j:2.13.3
2024-06-10T20:43:14.462+0530	DEBUG	Exit parent: org.apache.logging.log4j:log4j:2.13.3
2024-06-10T20:43:14.536+0530	DEBUG	OS is not detected.
2024-06-10T20:43:14.536+0530	DEBUG	Detected OS: unknown
2024-06-10T20:43:14.536+0530	INFO	Number of language-specific files: 1
2024-06-10T20:43:14.536+0530	INFO	Detecting pom vulnerabilities...
2024-06-10T20:43:14.536+0530	DEBUG	Detecting library vulnerabilities, type: pom, path: pom.xml

pom.xml (pom)

Total: 40 (UNKNOWN: 0, LOW: 0, MEDIUM: 17, HIGH: 19, CRITICAL: 4)

┌────────────────────────────────────────────────────┬──────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│                      Library                       │  Vulnerability   │ Severity │ Status │ Installed Version │            Fixed Version            │                            Title                             │
├────────────────────────────────────────────────────┼──────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ch.qos.logback:logback-classic                     │ CVE-2023-6378    │ HIGH     │ fixed  │ 1.2.3             │ 1.3.12, 1.4.12, 1.2.13              │ logback: serialization vulnerability in logback receiver     │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-6378                    │
├────────────────────────────────────────────────────┤                  │          │        │                   │                                     │                                                              │
│ ch.qos.logback:logback-core                        │                  │          │        │                   │                                     │                                                              │
│                                                    │                  │          │        │                   │                                     │                                                              │
│                                                    ├──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2021-42550   │ MEDIUM   │        │                   │ 1.2.9                               │ logback: remote code execution through JNDI call from within │
│                                                    │                  │          │        │                   │                                     │ its configuration file...                                    │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2021-42550                   │
├────────────────────────────────────────────────────┼──────────────────┼──────────┤        ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-databind        │ CVE-2020-36518   │ HIGH     │        │ 2.11.4            │ 2.13.2.1, 2.12.6.1                  │ jackson-databind: denial of service via a large depth of     │
│                                                    │                  │          │        │                   │                                     │ nested objects                                               │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2020-36518                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2021-46877   │          │        │                   │ 2.12.6, 2.13.1                      │ jackson-databind: Possible DoS if using JDK serialization to │
│                                                    │                  │          │        │                   │                                     │ serialize JsonNode                                           │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2021-46877                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-42003   │          │        │                   │ 2.12.7.1, 2.13.4.2                  │ jackson-databind: deep wrapper array nesting wrt             │
│                                                    │                  │          │        │                   │                                     │ UNWRAP_SINGLE_VALUE_ARRAYS                                   │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-42003                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-42004   │          │        │                   │ 2.12.7.1, 2.13.4                    │ jackson-databind: use of deeply nested arrays                │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-42004                   │
├────────────────────────────────────────────────────┼──────────────────┤          │        ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.tomcat.embed:tomcat-embed-core          │ CVE-2022-42252   │          │        │ 9.0.46            │ 8.5.83, 9.0.68, 10.0.27, 10.1.1     │ tomcat: request smuggling                                    │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-42252                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-45143   │          │        │                   │ 8.5.84, 9.0.69, 10.1.2              │ tomcat: JsonErrorReportValve injection                       │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-45143                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2023-24998   │          │        │                   │ 10.1.5, 11.0.0-M5, 8.5.88, 9.0.71   │ Apache Commons FileUpload: FileUpload DoS with excessive     │
│                                                    │                  │          │        │                   │                                     │ parts                                                        │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-24998                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2023-46589   │          │        │                   │ 11.0.0-M11, 10.1.16, 9.0.83, 8.5.96 │ tomcat: HTTP request smuggling via malformed trailer headers │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-46589                   │
│                                                    ├──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2023-41080   │ MEDIUM   │        │                   │ 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 │ tomcat: Open Redirect vulnerability in FORM authentication   │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-41080                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2023-42795   │          │        │                   │ 11.0.0-M12, 10.1.14, 9.0.81, 8.5.94 │ tomcat: improper cleaning of recycled objects could lead to  │
│                                                    │                  │          │        │                   │                                     │ information leak                                             │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-42795                   │
│                                                    ├──────────────────┤          │        │                   │                                     ├──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2023-44487   │          │        │                   │                                     │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                                                    │                  │          │        │                   │                                     │ to a DDoS attack...                                          │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
│                                                    ├──────────────────┤          │        │                   │                                     ├──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2023-45648   │          │        │                   │                                     │ tomcat: incorrectly parsed http trailer headers can cause    │
│                                                    │                  │          │        │                   │                                     │ request smuggling                                            │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-45648                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2024-24549   │          │        │                   │ 8.5.99, 9.0.86, 10.1.19, 11.0.0-M17 │ : Apache Tomcat: HTTP/2 header handling DoS                  │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2024-24549                   │
├────────────────────────────────────────────────────┼──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.apache.tomcat.embed:tomcat-embed-websocket     │ CVE-2024-23672   │          │        │                   │ 11.0.0-M17, 10.1.19, 9.0.86, 8.5.99 │ Apache Tomcat: WebSocket DoS with incomplete closing         │
│                                                    │                  │          │        │                   │                                     │ handshake                                                    │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2024-23672                   │
├────────────────────────────────────────────────────┼──────────────────┤          │        ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot               │ CVE-2023-34055   │          │        │ 2.3.12.RELEASE    │ 2.7.18, 3.0.13, 3.1.6               │ spring-boot: org.springframework.boot:spring-boot-actuator   │
│                                                    │                  │          │        │                   │                                     │ class vulnerable to denial of service                        │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-34055                   │
├────────────────────────────────────────────────────┼──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot-autoconfigure │ CVE-2023-20883   │ HIGH     │        │                   │ 3.0.7, 2.7.12, 2.6.15, 2.5.15       │ spring-boot: Spring Boot Welcome Page DoS Vulnerability      │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-20883                   │
├────────────────────────────────────────────────────┼──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot-starter-web   │ CVE-2022-22965   │ CRITICAL │        │                   │ 2.5.12, 2.6.6                       │ spring-framework: RCE via Data Binding on JDK 9+             │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-22965                   │
├────────────────────────────────────────────────────┤                  │          │        ├───────────────────┼─────────────────────────────────────┤                                                              │
│ org.springframework:spring-beans                   │                  │          │        │ 5.2.15.RELEASE    │ 5.2.20.RELEASE, 5.3.18              │                                                              │
│                                                    │                  │          │        │                   │                                     │                                                              │
│                                                    ├──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-22970   │ HIGH     │        │                   │ 5.2.22.RELEASE, 5.3.20              │ springframework: DoS via data binding to multipartFile or    │
│                                                    │                  │          │        │                   │                                     │ servlet part                                                 │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-22970                   │
├────────────────────────────────────────────────────┼──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-context                 │ CVE-2022-22968   │          │        │                   │ 5.3.19, 5.2.21.RELEASE              │ Spring Framework: Data Binding Rules Vulnerability           │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-22968                   │
├────────────────────────────────────────────────────┼──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-core                    │ CVE-2021-22060   │ MEDIUM   │        │                   │ 5.3.14, 5.2.19                      │ springframework: Additional Log Injection in Spring          │
│                                                    │                  │          │        │                   │                                     │ Framework (follow-up to CVE-2021-22096)                      │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2021-22060                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2021-22096   │          │        │                   │ 5.3.11, 5.2.18                      │ springframework: malicious input leads to insertion of       │
│                                                    │                  │          │        │                   │                                     │ additional log entries                                       │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2021-22096                   │
├────────────────────────────────────────────────────┼──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-expression              │ CVE-2023-20863   │ HIGH     │        │                   │ 6.0.8, 5.3.27, 5.2.24.RELEASE       │ springframework: Spring Expression DoS Vulnerability         │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-20863                   │
│                                                    ├──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-22950   │ MEDIUM   │        │                   │ 5.3.17, 5.2.20.RELEASE              │ spring-expression: Denial of service via specially crafted   │
│                                                    │                  │          │        │                   │                                     │ SpEL expression                                              │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-22950                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2023-20861   │          │        │                   │ 6.0.7, 5.3.26, 5.2.23.RELEASE       │ springframework: Spring Expression DoS Vulnerability         │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2023-20861                   │
├────────────────────────────────────────────────────┼──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web                     │ CVE-2016-1000027 │ CRITICAL │        │                   │ 6.0.0                               │ spring: HttpInvokerServiceExporter readRemoteInvocation      │
│                                                    │                  │          │        │                   │                                     │ method untrusted java deserialization                        │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2016-1000027                 │
│                                                    ├──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2024-22243   │ HIGH     │        │                   │ 6.1.4, 6.0.17, 5.3.32               │ springframework: URL Parsing with Host Validation            │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2024-22243                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2024-22259   │          │        │                   │ 6.1.5, 6.0.18, 5.3.33               │ springframework: URL Parsing with Host Validation            │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2024-22259                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2024-22262   │          │        │                   │ 5.3.34, 6.0.19, 6.1.6               │ springframework: URL Parsing with Host Validation            │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2024-22262                   │
├────────────────────────────────────────────────────┼──────────────────┼──────────┤        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-webmvc                  │ CVE-2022-22965   │ CRITICAL │        │                   │ 5.2.20.RELEASE, 5.3.18              │ spring-framework: RCE via Data Binding on JDK 9+             │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-22965                   │
├────────────────────────────────────────────────────┼──────────────────┼──────────┤        ├───────────────────┼─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml                                 │ CVE-2022-1471    │ HIGH     │        │ 1.26              │ 2.0                                 │ SnakeYaml: Constructor Deserialization Remote Code Execution │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-1471                    │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-25857   │          │        │                   │ 1.31                                │ snakeyaml: Denial of Service due to missing nested depth     │
│                                                    │                  │          │        │                   │                                     │ limitation for collections...                                │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-25857                   │
│                                                    ├──────────────────┼──────────┤        │                   │                                     ├──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-38749   │ MEDIUM   │        │                   │                                     │ snakeyaml: Uncaught exception in                             │
│                                                    │                  │          │        │                   │                                     │ org.yaml.snakeyaml.composer.Composer.composeSequenceNode     │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-38749                   │
│                                                    ├──────────────────┤          │        │                   │                                     ├──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-38750   │          │        │                   │                                     │ snakeyaml: Uncaught exception in                             │
│                                                    │                  │          │        │                   │                                     │ org.yaml.snakeyaml.constructor.BaseConstructor.constructObj- │
│                                                    │                  │          │        │                   │                                     │ ect                                                          │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-38750                   │
│                                                    ├──────────────────┤          │        │                   │                                     ├──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-38751   │          │        │                   │                                     │ snakeyaml: Uncaught exception in                             │
│                                                    │                  │          │        │                   │                                     │ java.base/java.util.regex.Pattern$Ques.match                 │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-38751                   │
│                                                    ├──────────────────┤          │        │                   ├─────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-38752   │          │        │                   │ 1.32                                │ snakeyaml: Uncaught exception in                             │
│                                                    │                  │          │        │                   │                                     │ java.base/java.util.ArrayList.hashCode                       │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-38752                   │
│                                                    ├──────────────────┤          │        │                   │                                     ├──────────────────────────────────────────────────────────────┤
│                                                    │ CVE-2022-41854   │          │        │                   │                                     │ dev-java/snakeyaml: DoS via stack overflow                   │
│                                                    │                  │          │        │                   │                                     │ https://avd.aquasec.com/nvd/cve-2022-41854                   │
└────────────────────────────────────────────────────┴──────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────┴────────────────────────────────────────────────────────

Operating System

macOS Sonoma

Version

Version: 0.50.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-10 00:14:40.397672298 +0000 UTC
  NextUpdate: 2024-04-10 06:14:40.397671937 +0000 UTC
  DownloadedAt: 2024-04-10 05:37:58.886042 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-09-11 00:53:00.064262708 +0000 UTC
  NextUpdate: 2023-09-14 00:53:00.064262008 +0000 UTC
  DownloadedAt: 2023-09-11 19:22:04.868176 +0000 UTC

Checklist

Run trivy image --reset
Read the troubleshooting

Answered by DmitriyLewen

Jun 11, 2024

Hellol @namandf
Thanks for your report!

We use GitHub advisory database for java package (https://aquasecurity.github.io/trivy/v0.52/docs/scanner/vulnerability/#data-sources_1).

GitHub database use the following ranges:

If you sure that versions prior to 2.5.0 are vulnerable - please suggest changes on GitHub - https://github.com/advisories/GHSA-g5h3-w546-pj7f/improve

Regards, Dmitriy

View full answer

DmitriyLewen · 2024-06-11T06:06:41Z

DmitriyLewen
Jun 11, 2024
Maintainer

Hellol @namandf
Thanks for your report!

We use GitHub advisory database for java package (https://aquasecurity.github.io/trivy/v0.52/docs/scanner/vulnerability/#data-sources_1).

GitHub database use the following ranges:

If you sure that versions prior to 2.5.0 are vulnerable - please suggest changes on GitHub - https://github.com/advisories/GHSA-g5h3-w546-pj7f/improve

Regards, Dmitriy

3 replies

namandf Jun 11, 2024
Author

Thank you for the update @DmitriyLewen .
But maven repository does highlight it as a direct vulnerability https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator-autoconfigure/2.3.12.RELEASE

DmitriyLewen Jun 11, 2024
Maintainer

But maven repository does highlight it as a direct vulnerability

I'm not sure I understand how this is related.

It looks like GitHub has mistake. https://github.com/advisories/GHSA-g5h3-w546-pj7f/improve form allows you to indicate the required changes.
It will create PR.
if GitHub confirms its mistake - they will merge PR and update advisory.

namandf Jun 11, 2024
Author

I'm not sure I understand how this is related.

I mean the same resource version i.e spring-boot-actuator-autoconfigure, version: 2.3.12.RELEASE highlights [CVE-2023-20873] as a vulnerability.

Anyway, i'll go ahead and raise a PR.
Thanks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy does not detect CVE-2023-20873 #6901

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Trivy does not detect CVE-2023-20873 #6901

namandf Jun 10, 2024

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Operating System

Version

Checklist

Replies: 1 comment · 3 replies

DmitriyLewen Jun 11, 2024 Maintainer

namandf Jun 11, 2024 Author

DmitriyLewen Jun 11, 2024 Maintainer

namandf Jun 11, 2024 Author

namandf
Jun 10, 2024

Replies: 1 comment 3 replies

DmitriyLewen
Jun 11, 2024
Maintainer

namandf Jun 11, 2024
Author

DmitriyLewen Jun 11, 2024
Maintainer

namandf Jun 11, 2024
Author