jainhitesh9998/esignet

spring-boot-starter-validation-2.3.6.RELEASE.jar: 8 vulnerabilities (highest severity is: 6.5)

Opened this issue · 0 comments

mend-bolt-for-github commented
Vulnerable Library - spring-boot-starter-validation-2.3.6.RELEASE.jar

Path to dependency file: /esignet-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-boot-starter-validation version) Remediation Possible**
CVE-2023-20863 Medium 6.5 spring-expression-5.2.11.RELEASE.jar Transitive 2.4.0
CVE-2023-20861 Medium 6.5 spring-expression-5.2.11.RELEASE.jar Transitive 2.4.0
CVE-2022-22950 Medium 6.5 spring-expression-5.2.11.RELEASE.jar Transitive 2.4.0
CVE-2023-1932 Medium 6.1 hibernate-validator-6.1.6.Final.jar Transitive 2.5.0
CVE-2022-22968 Medium 5.3 spring-context-5.2.11.RELEASE.jar Transitive 2.4.0
CVE-2021-28170 Medium 5.3 jakarta.el-3.0.3.jar Transitive N/A*
CVE-2024-38808 Medium 4.3 spring-expression-5.2.11.RELEASE.jar Transitive 3.0.0
CVE-2024-38820 Low 3.1 spring-context-5.2.11.RELEASE.jar Transitive 3.2.11

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-20863

Vulnerable Library - spring-expression-5.2.11.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /esignet-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-validation-2.3.6.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.6.RELEASE.jar
      • spring-boot-2.3.6.RELEASE.jar
        • spring-context-5.2.11.RELEASE.jar
          • spring-expression-5.2.11.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.2.24.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2023-20861

Vulnerable Library - spring-expression-5.2.11.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /esignet-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-validation-2.3.6.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.6.RELEASE.jar
      • spring-boot-2.3.6.RELEASE.jar
        • spring-context-5.2.11.RELEASE.jar
          • spring-expression-5.2.11.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.2.23.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2022-22950

Vulnerable Library - spring-expression-5.2.11.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /esignet-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-validation-2.3.6.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.6.RELEASE.jar
      • spring-boot-2.3.6.RELEASE.jar
        • spring-context-5.2.11.RELEASE.jar
          • spring-expression-5.2.11.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2023-1932

Vulnerable Library - hibernate-validator-6.1.6.Final.jar

Hibernate's Jakarta Bean Validation reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /client-management-service-impl/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.1.6.Final/hibernate-validator-6.1.6.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.1.6.Final/hibernate-validator-6.1.6.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.1.6.Final/hibernate-validator-6.1.6.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.1.6.Final/hibernate-validator-6.1.6.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.1.6.Final/hibernate-validator-6.1.6.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/validator/hibernate-validator/6.1.6.Final/hibernate-validator-6.1.6.Final.jar

Dependency Hierarchy:

  • spring-boot-starter-validation-2.3.6.RELEASE.jar (Root Library)
    • hibernate-validator-6.1.6.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in hibernate-validator version 6.1.2.Final, where the method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.

Publish Date: 2024-11-07

URL: CVE-2023-1932

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1809444

Release Date: 2023-04-07

Fix Resolution (org.hibernate.validator:hibernate-validator): 6.2.0.CR1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 2.5.0

Step up your Open Source Security Game with Mend here

CVE-2022-22968

Vulnerable Library - spring-context-5.2.11.RELEASE.jar

Spring Context

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /binding-service-impl/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-validation-2.3.6.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.6.RELEASE.jar
      • spring-boot-2.3.6.RELEASE.jar
        • spring-context-5.2.11.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution (org.springframework:spring-context): 5.2.21.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2021-28170

Vulnerable Library - jakarta.el-3.0.3.jar

Jakarta Expression Language provides a specification document, API, reference implementation and TCK that describes an expression language for Java applications.

Library home page: https://www.eclipse.org

Path to dependency file: /esignet-integration-api/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar

Dependency Hierarchy:

  • spring-boot-starter-validation-2.3.6.RELEASE.jar (Root Library)
    • jakarta.el-3.0.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.

Publish Date: 2021-05-26

URL: CVE-2021-28170

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-28170

Release Date: 2021-05-26

Fix Resolution: org.glassfish:jakarta.el:3.0.4, com.sun.el:el-ri:3.0.4

Step up your Open Source Security Game with Mend here

CVE-2024-38808

Vulnerable Library - spring-expression-5.2.11.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /esignet-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.11.RELEASE/spring-expression-5.2.11.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-validation-2.3.6.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.6.RELEASE.jar
      • spring-boot-2.3.6.RELEASE.jar
        • spring-context-5.2.11.RELEASE.jar
          • spring-expression-5.2.11.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.

Specifically, an application is vulnerable when the following is true:

  • The application evaluates user-supplied SpEL expressions.

Publish Date: 2024-08-20

URL: CVE-2024-38808

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38808

Release Date: 2024-08-20

Fix Resolution (org.springframework:spring-expression): 5.3.39

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 3.0.0

Step up your Open Source Security Game with Mend here

CVE-2024-38820

Vulnerable Library - spring-context-5.2.11.RELEASE.jar

Spring Context

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /binding-service-impl/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.11.RELEASE/spring-context-5.2.11.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-validation-2.3.6.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.6.RELEASE.jar
      • spring-boot-2.3.6.RELEASE.jar
        • spring-context-5.2.11.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Publish Date: 2024-10-18

URL: CVE-2024-38820

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38820

Release Date: 2024-10-18

Fix Resolution (org.springframework:spring-context): 6.1.14

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-validation): 3.2.11

Step up your Open Source Security Game with Mend here