Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gitsecure auto-remediation #94

Open
wants to merge 1 commit into
base: nadgowdas-patch-5
Choose a base branch
from
Open

gitsecure auto-remediation #94

wants to merge 1 commit into from

Conversation

nadgowdas
Copy link
Owner

GitSecure Vulnerablility Report

Control ID Section Description
RA-5 Risk Assessment Vulnerability Scanning
CA-7 Security Assessment and Authorization Continuous Monitoring
SA-12 System and Services Acquisition Supply Chain Protection
SI-2 System and Information Integrity Flaw Remediation
CM-4 Configuration Management Security Impact Analysis
CA-2 Security Assessment and Authorization Security Assessments

For Dockerfile: Dockerfile Stage: stage-0

✅ OS Packages Safe
✅ Pip Packages Safe
❌ Node Packages Safe
❌ Java Packages Safe

Detailed Package Analysis

OS Packages [Expand for more information]
Python Packages [Expand for more information]
Node Packages [Expand for more information] Package Name: Version :

CVEs

Java Packages [Expand for more information] Package Name: org.apache.tomcat:tomcat Version : 7.0.98

CVEs 
 CVE ID: CVE-2020-1935
 Severity:  MODERATE
 Fixed in Version:  7.0.100
 Description:  In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

 CVE ID: GHSA-qxf4-chvg-4r8r
 Severity:  MODERATE
 Fixed in Version:  7.0.100
 Description:  In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

 CVE ID: CVE-2019-17569
 Severity:  LOW
 Fixed in Version:  7.0.100
 Description:  The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

 CVE ID: GHSA-767j-jfh2-jvrc
 Severity:  LOW
 Fixed in Version:  7.0.100
 Description:  The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.

@nadgowdas nadgowdas mentioned this pull request Mar 6, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@nadgowdas