mixellent / demo-app-master Goto Github PK

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Publish Date: 2018-02-26

URL: CVE-2018-7489

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Release Date: 2018-02-26

Fix Resolution: 2.8.11.1,2.9.5

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Publish Date: 2018-05-16

URL: CVE-2018-8014

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-8014

Release Date: 2019-04-08

Fix Resolution: Replace or update the following files: 7.0.89, 8.0.53, 8.5.32, 9.0.9

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Path to dependency file: /demo-app-master/package.json

Path to vulnerable library: /demo-app-master/node_modules/debug/package.json

Dependency Hierarchy:

• ❌ debug-2.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/534

Release Date: 2017-09-27

Fix Resolution: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Publish Date: 2017-08-10

URL: CVE-2016-6797

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1037145

Fix Resolution: The vendor has issued a fix (6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10).

The vendor advisories are available at:

http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: 2018-02-06

URL: CVE-2017-7525

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-7525

Release Date: 2018-02-06

Fix Resolution: 2.6.7.1,2.7.9.1,2.8.9

Vulnerable Libraries - github.com/opencontainers/runc-v0.1.1

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

Publish Date: 2017-01-31

URL: CVE-2016-9962

CVSS 3 Score Details (6.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201701-34

Release Date: 2017-01-12

Fix Resolution: All runC users should upgrade to the latest version >= runc-1.0.0_rc2-r2

Vulnerable Library - negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: https://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /demo-app-master/package.json

Path to vulnerable library: /tmp/git/demo-app-master/node_modules/negotiator/package.json

Dependency Hierarchy:

• express-4.13.4.tgz (Root Library)
  • accepts-1.2.13.tgz
    • ❌ negotiator-0.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Publish Date: 2017-03-20

URL: CVE-2016-6816

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1037332

Fix Resolution: The vendor has issued a fix (6.0.48, 7.0.73, 8.0.39, 8.5.8, 9.0.0.M13).

The vendor advisories are available at:

http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: http://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /demo-app-master/package.json

Path to vulnerable library: /tmp/git/demo-app-master/node_modules/negotiator/package.json

Dependency Hierarchy:

• express-4.13.4.tgz (Root Library)
  • accepts-1.2.13.tgz
    • ❌ negotiator-0.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 0b7bec33bd9f35bad827cec783c1cec88ec4d59e

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: 2018-01-10

URL: CVE-2017-17485

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@2235894

Release Date: 2017-12-19

Fix Resolution: Replace or update the following files: SubTypeValidator.java, BeanDeserializerFactory.java

Vulnerable Library - spring-web-4.3.2.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/springframework/spring-web/4.3.2.RELEASE/spring-web-4.3.2.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ spring-web-4.3.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Publish Date: 2018-06-25

URL: CVE-2018-11039

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11039

Release Date: 2018-06-25

Fix Resolution: 5.0.7,4.3.18

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /demo-app-master/package.json

Path to vulnerable library: /tmp/git/demo-app-master/node_modules/mime/package.json

Dependency Hierarchy:

• express-4.13.4.tgz (Root Library)
  • send-0.13.1.tgz
    • ❌ mime-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095

Release Date: 2018-02-06

Fix Resolution: 2.8.10,2.9.1

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Publish Date: 2017-04-17

URL: CVE-2017-5647

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-5647

Release Date: 2019-04-08

Fix Resolution: 6.0.53,7.0.77,8.0.43,8.5.13,9.0.0.M19

Vulnerable Library - negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: http://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /demo-app-master/package.json

Path to vulnerable library: /tmp/git/demo-app-master/node_modules/negotiator/package.json

Dependency Hierarchy:

• express-4.13.4.tgz (Root Library)
  • accepts-1.2.13.tgz
    • ❌ negotiator-0.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 0b7bec33bd9f35bad827cec783c1cec88ec4d59e

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

Vulnerable Library - mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /demo-app-master/package.json

Path to vulnerable library: /tmp/git/demo-app-master/node_modules/mime/package.json

Dependency Hierarchy:

• express-4.13.4.tgz (Root Library)
  • send-0.13.1.tgz
    • ❌ mime-1.3.4.tgz (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: broofa/mime@1df903f

Release Date: 2019-04-03

Fix Resolution: 1.4.1,2.0.3

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Publish Date: 2017-08-11

URL: CVE-2017-7674

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7674

Fix Resolution: Upgrade to version tomcat 7.0.79, tomcat 8.0.45, tomcat 8.5.16 or greater

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Publish Date: 2017-10-04

URL: CVE-2017-12617

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617

Release Date: 2017-10-04

Fix Resolution: 9.0.1,8.5.23,8.0.47,7.0.82

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Publish Date: 2017-04-17

URL: CVE-2017-5650

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1038217

Fix Resolution: The vendor has issued a fix (8.5.13, 9.0.0.M19).

The vendor advisory is available at:

http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Library - spring-core-4.3.2.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/springframework/spring-core/4.3.2.RELEASE/spring-core-4.3.2.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-1.4.0.RELEASE.jar
    • ❌ spring-core-4.3.2.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272

Release Date: 2018-04-06

Fix Resolution: v4.3.15.RELEASE,v5.0.5.RELEASE

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Publish Date: 2017-08-10

URL: CVE-2016-6794

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1037143

Release Date: 2017-12-31

Fix Resolution: The vendor has issued a fix (6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10).

The vendor advisories are available at:

http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Publish Date: 2016-07-19

URL: CVE-2016-5388

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1036331

Fix Resolution: The vendor has provided instructions for several options to mitigate affected applications. The patch is available in the vendor's advisory.

The vendor's advisory is available at:

https://www.apache.org/security/asf-httpoxy-response.txt

Vulnerable Library - jackson-databind-2.8.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

jackson-databind has a Potential information exfiltration with default typing. versions 2.7.9.x < 2.7.9.4, 2.8.x < 2.8.11.2, 2.9.x < 2.9.6

Publish Date: 2018-12-13

URL: CVE-2018-11307

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2032

Release Date: 2019-03-17

Fix Resolution: jackson-databind-2.9.6

Vulnerable Library - negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: http://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /demo-app-master/package.json

Path to vulnerable library: /tmp/git/demo-app-master/node_modules/negotiator/package.json

Dependency Hierarchy:

• express-4.13.4.tgz (Root Library)
  • accepts-1.2.13.tgz
    • ❌ negotiator-0.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 0b7bec33bd9f35bad827cec783c1cec88ec4d59e

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

Vulnerable Libraries - spring-web-4.3.2.RELEASE.jar, spring-webmvc-4.3.2.RELEASE.jar

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Publish Date: 2018-06-25

URL: CVE-2018-11040

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11040

Release Date: 2018-06-25

Fix Resolution: 5.0.7,4.3.18

Vulnerable Libraries - ms-0.7.2.tgz, ms-0.7.1.tgz

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-05-15

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: vercel/ms@305f2dd

Release Date: 2017-04-12

Fix Resolution: Replace or update the following file: index.js

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.

Publish Date: 2017-08-10

URL: CVE-2016-6817

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1037330

Release Date: 2017-12-31

Fix Resolution: The vendor has issued a fix (8.5.8, 9.0.0.M13).

The vendor advisories are available at:

http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Publish Date: 2019-04-10

URL: CVE-2019-0199

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199

Release Date: 2019-04-10

Fix Resolution: 8.5.38,9.0.14

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

Publish Date: 2017-04-17

URL: CVE-2017-5651

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1038219

Fix Resolution: The vendor has issued a fix (8.5.13, 9.0.0.M19).

The vendor advisories are available at:

http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Publish Date: 2017-08-10

URL: CVE-2016-0762

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009@%3Cannounce.tomcat.apache.org%3E

Release Date: 2017-08-10

Fix Resolution: 9.0.0.M10, 8.0.37,8.5.5, 7.0.72, 6.0.46

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Publish Date: 2017-04-17

URL: CVE-2017-5648

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1038220

Fix Resolution: The vendor has issued a fix (7.0.76, 8.0.42, 8.5.12, 9.0.0.M18).

The vendor advisories are available at:

http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Libraries - github.com/opencontainers/runc-v0.1.1

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.

Publish Date: 2016-10-28

URL: CVE-2016-8867

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/opencontainers/runc/blob/v1.0.0-rc3/libcontainer/system/proc.go

Release Date: 2016-10-28

Fix Resolution: runc - v1.0.0-rc3

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

Publish Date: 2017-08-10

URL: CVE-2016-8745

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1037432

Fix Resolution: The vendor has issued a fix (6.0.49, 7.0.74, and 8.0.40 [pending]; 8.5.9, 9.0.0.M15).

The vendor advisories are available at:

http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Library - negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: http://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /demo-app-master/package.json

Path to vulnerable library: /tmp/git/demo-app-master/node_modules/negotiator/package.json

Dependency Hierarchy:

• express-4.13.4.tgz (Root Library)
  • accepts-1.2.13.tgz
    • ❌ negotiator-0.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 0b7bec33bd9f35bad827cec783c1cec88ec4d59e

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

Vulnerable Library - negotiator-0.5.3.tgz

HTTP content negotiation

Library home page: http://registry.npmjs.org/negotiator/-/negotiator-0.5.3.tgz

Path to dependency file: /demo-app-master/package.json

Path to vulnerable library: /tmp/git/demo-app-master/node_modules/negotiator/package.json

Dependency Hierarchy:

• express-4.13.4.tgz (Root Library)
  • accepts-1.2.13.tgz
    • ❌ negotiator-0.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 0b7bec33bd9f35bad827cec783c1cec88ec4d59e

Vulnerability Details

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Publish Date: 2018-05-31

URL: CVE-2016-10539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/106

Release Date: 2016-06-16

Fix Resolution: Upgrade to at least version 0.6.1

Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the acceptsLanguages function call in your application will tell you if you are using this functionality.

Vulnerable Library - tomcat-embed-core-8.5.4.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /demo-app-master/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Found in HEAD commit: 36bced415c2afa8e05045e2eb1e9c10507f085a4

Vulnerability Details

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

Publish Date: 2017-08-11

URL: CVE-2017-7675

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: https://github.com/apache/tomcat85/commit/dacb030b85fe0e0b3da87469e23d0f31252fdede

Release Date: 2017-05-24

Fix Resolution: Replace or update the following files: TestStream.java, Stream.java, changelog.xml