mixellent / fitbit-api-example-java Goto Github PK

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Publish Date: 2017-08-10

URL: CVE-2016-6797

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: https://github.com/apache/tomcat85/commit/d6b5600afe75e1086dd564344e1d085966e4237d

Release Date: 2016-08-22

Fix Resolution: Replace or update the following files: NamingContextListener.java, TestNamingContext.java, changelog.xml, ResourceLinkFactory.java

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

Publish Date: 2017-04-17

URL: CVE-2017-5651

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Vulnerable Library - spring-webmvc-4.3.2.RELEASE.jar

path: /root/.m2/repository/org/springframework/spring-webmvc/4.3.2.RELEASE/spring-webmvc-4.3.2.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ spring-webmvc-4.3.2.RELEASE.jar (Vulnerable Library)

Vulnerability Details

OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of-bounds write error in the function FillColorRow1 in utils.cpp when reading an image file by using cv::imread.

Publish Date: 2017-08-07

URL: CVE-2017-12597

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: opencv/opencv@aacae20

Release Date: 2017-08-23

Fix Resolution: Replace or update the following files: grfmt_sunras.cpp, grfmt_jpeg.cpp, grfmt_pam.cpp, utils.hpp, grfmt_bmp.cpp, grfmt_exr.cpp, grfmt_jpeg2000.cpp, utils.cpp

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Publish Date: 2017-03-20

URL: CVE-2016-6816

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1397484

Fix Resolution: Upgrade to version tomcat 8.5.8, tomcat 6.0.48, tomcat 7.0.73, tomcat 8.0.39 or greater

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

Publish Date: 2018-05-16

URL: CVE-2018-8014

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: https://github.com/apache/tomcat70/commit/5877390a9605f56d9bd6859a54ccbfb16374a78b

Release Date: 2018-05-16

Fix Resolution: Replace or update the following files: LocalStrings.properties, TestCorsFilter.java, CorsFilter.java, changelog.xml, TesterFilterConfigs.java

Vulnerable Library - jackson-databind-2.8.1.jar

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Publish Date: 2018-02-26

URL: CVE-2018-7489

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@6799f8f

Release Date: 2018-02-11

Fix Resolution: Replace or update the following files: SubTypeValidator.java, IllegalTypesCheckTest.java, ComboPooledDataSource.java, VERSION

Vulnerable Library - jackson-databind-2.8.1.jar

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@038b471

Release Date: 2018-01-22

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Publish Date: 2017-08-10

URL: CVE-2016-0762

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Vulnerable Library - spring-web-4.3.2.RELEASE.jar

path: /root/.m2/repository/org/springframework/spring-web/4.3.2.RELEASE/spring-web-4.3.2.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ spring-web-4.3.2.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.

Publish Date: 2018-06-25

URL: CVE-2018-11039

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-11039

Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.7 4.3.x users should upgrade to 4.3.18 Older versions should upgrade to a supported branch There are no other mitigation steps necessary. This attack applies to applications that: Use the HiddenHttpMethodFilter (it is enabled by default in Spring Boot) Allow HTTP TRACE requests to be handled by the application server This attack is not exploitable directly because an attacker would have to make a cross-domain request via HTTP POST, which is forbidden by the Same Origin Policy. This is why a pre-existing XSS (Cross Site Scripting) vulnerability in the web application itself is necessary to enable an escalation to XST.

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Publish Date: 2017-04-17

URL: CVE-2017-5647

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Vulnerable Library - spring-security-web-4.1.1.RELEASE.jar

path: /root/.m2/repository/org/springframework/security/spring-security-web/4.1.1.RELEASE/spring-security-web-4.1.1.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-security-1.4.0.RELEASE.jar (Root Library)
  • ❌ spring-security-web-4.1.1.RELEASE.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in Pivotal Spring Security before 3.2.10, 4.1.x before 4.1.4, and 4.2.x before 4.2.1. Spring Security does not consider URL path parameters when processing security constraints. By adding a URL path parameter with an encoded "/" to a request, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. The unexpected presence of path parameters can cause a constraint to be bypassed. Users of Apache Tomcat (all current versions) are not affected by this vulnerability since Tomcat follows the guidance previously provided by the Servlet Expert group and strips path parameters from the value returned by getContextPath(), getServletPath(), and getPathInfo(). Users of other Servlet containers based on Apache Tomcat may or may not be affected depending on whether or not the handling of path parameters has been modified. Users of IBM WebSphere Application Server 8.5.x are known to be affected. Users of other containers that implement the Servlet specification may be affected.

Publish Date: 2017-01-06

URL: CVE-2016-9879

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2016-9879

Release Date: 2017-12-31

Fix Resolution: Adopting one of the following mitigations will protect against this vulnerability. Use a Servlet container known not to include path parameters in the return values for getServletPath() and getPathInfo() Upgrading to Spring Security 3.2.10, 4.1.4 or 4.2.1 will reject the request with a RequestRejectedException if the presence of an encoded "/" is detected. Note: If you wish to disable this feature it can be disabled by setting the DefaultHttpFirewall.allowUrlEncodedSlash = true. However, disabling this feature will mean applications are vulnerable (in containers that return path parameters in getServletPath() or getPathInfo()).

Vulnerable Library - spring-security-oauth2-2.0.10.RELEASE.jar

path: 2/repository/org/springframework/security/oauth/spring-security-oauth2/2.0.10.RELEASE/spring-security-oauth2-2.0.10.RELEASE.jar

Dependency Hierarchy:

• ❌ spring-security-oauth2-2.0.10.RELEASE.jar (Vulnerable Library)

Vulnerability Details

When processing authorization requests using the whitelabel views in Spring Security OAuth 2.0.0 to 2.0.9 and 1.0.0 to 1.0.5, the response_type parameter value was executed as Spring SpEL which enabled a malicious user to trigger remote code execution via the crafting of the value for response_type.

Publish Date: 2017-05-25

URL: CVE-2016-4977

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2016-4977

Release Date: 2017-12-31

Fix Resolution: Users of affected versions should apply the following mitigation: Users of 1.0.x should not use whitelabel views for approval and error pages Users of 2.0.x should either not use whitelabel views for approval and error pages or upgrade to 2.0.10 or later

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Publish Date: 2017-08-10

URL: CVE-2016-6794

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1037143

Release Date: 2017-12-31

Fix Resolution: The vendor has issued a fix (6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10).

The vendor advisories are available at:

http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Library - jackson-databind-2.8.1.jar

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: 2018-01-10

URL: CVE-2017-17485

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@bb45fb1

Release Date: 2017-12-19

Fix Resolution: Replace or update the following files: AbstractApplicationContext.java, AbstractPointcutAdvisor.java, BogusApplicationContext.java, SubTypeValidator.java, BogusPointcutAdvisor.java, IllegalTypesCheckTest.java

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.

Publish Date: 2017-08-10

URL: CVE-2016-6817

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1037330

Release Date: 2017-12-31

Fix Resolution: The vendor has issued a fix (8.5.8, 9.0.0.M13).

The vendor advisories are available at:

http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Publish Date: 2017-04-17

URL: CVE-2017-5648

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Publish Date: 2016-07-19

URL: CVE-2016-5388

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: https://github.com/apache/tomcat85/commit/1b91e91194a095ea922f96d1dccddf6fbc446e54

Release Date: 2016-08-19

Fix Resolution: Replace or update the following files: web.xml, CGIServlet.java, cgi-howto.xml, changelog.xml

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

Publish Date: 2017-08-11

URL: CVE-2017-7675

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: https://github.com/apache/tomcat85/commit/dacb030b85fe0e0b3da87469e23d0f31252fdede

Release Date: 2017-05-24

Fix Resolution: Replace or update the following files: TestStream.java, Stream.java, changelog.xml

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Publish Date: 2017-04-17

URL: CVE-2017-5650

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - spring-webmvc-4.3.2.RELEASE.jar

path: /root/.m2/repository/org/springframework/spring-webmvc/4.3.2.RELEASE/spring-webmvc-4.3.2.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ spring-webmvc-4.3.2.RELEASE.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.

Publish Date: 2016-12-29

URL: CVE-2016-9878

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2016-9878

Release Date: 2017-12-31

Fix Resolution: Users of affected versions should apply the following mitigation: 4.3.x users should upgrade to 4.3.5 4.2.x users should upgrade to 4.2.9 3.2.x users should upgrade to 3.2.18 Note that few applications are likely to use the . It has been generally superseded since version 3.0 (circa 2009) by the and related classes that have been in use by default and provide much more advanced capabilities, see ?? in the reference documentation. The is now deprecated in 3.2.x and 4.x and is removed altogether starting with version 5.

Vulnerable Library - logback-classic-1.1.7.jar

path: /root/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar

Library home page: http://logback.qos.ch/logback-classic

Dependency Hierarchy:

• spring-boot-starter-actuator-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-1.4.0.RELEASE.jar
    • spring-boot-starter-logging-1.4.0.RELEASE.jar
      • ❌ logback-classic-1.1.7.jar (Vulnerable Library)

Vulnerability Details

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Publish Date: 2017-03-13

URL: CVE-2017-5929

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: victims/victims-cve-db@94745e0

Release Date: 2017-03-15

Fix Resolution: Replace or update the following file: 5929.yaml

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Publish Date: 2017-10-04

URL: CVE-2017-12617

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: apache/tomcat@b7e0435

Release Date: 2017-09-20

Fix Resolution: Replace or update the following files: AbstractTestResourceSet.java, changelog.xml, DirResourceSet.java

Vulnerable Library - jackson-databind-2.8.1.jar

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: 2018-02-06

URL: CVE-2017-7525

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525

Fix Resolution: Upgrade to version jackson-databind 2.8.9, jackson-databind 2.9.0 or greater

Vulnerability Details

Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.

Publish Date: 2018-06-25

URL: CVE-2018-11040

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-11040

Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.7. 4.3.x users should upgrade to 4.3.18. Older versions should upgrade to a supported branch, or otherwise set MappingJacksonJsonView?s jsonpParameterNames property to an empty set. Applications that do require JSONP support will need to explicitly configure the jsonpParameterNames property of MappingJacksonJsonView following the upgrade. It is recommended that applications switch to using CORS instead of JSONP to enable cross-domain requests. JSONP support in the Spring Framework is deprecated as of 5.0.7 and 4.3.18 and will be removed in 5.1.

Vulnerable Library - commons-compress-1.9.jar

path: /root/.m2/repository/org/apache/commons/commons-compress/1.9/commons-compress-1.9.jar

Library home page: http://commons.apache.org/proper/commons-compress/

Dependency Hierarchy:

• webjars-locator-0.32.jar (Root Library)
  • webjars-locator-core-0.30.jar
    • ❌ commons-compress-1.9.jar (Vulnerable Library)

Vulnerability Details

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-08-16

URL: CVE-2018-11771

CVSS 2 Score Details (3.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041503

Fix Resolution: The vendor has issued a fix (1.18).

The vendor advisory is available at:

https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

Publish Date: 2017-08-10

URL: CVE-2016-8745

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: https://github.com/apache/tomcat70/commit/143bb466cf96a89e791b7db5626055ea819dad89

Release Date: 2017-01-05

Fix Resolution: Replace or update the following files: NioEndpoint.java, changelog.xml

Vulnerability Details

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Publish Date: 2018-03-16

URL: CVE-2018-1199

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-1199

Fix Resolution: Users of affected versions should apply the following mitigation: Spring Security 5.0.x users should update to 5.0.1 4.2.x users should update to 4.2.4 4.1.x users should update to 4.1.5 Spring Framework 5.0.x users should update to 5.0.3 4.3.x users should update to 4.3.14 As a general precaution, users are encouraged to separate public and private resources. For example, separating static resources and mapping them to /resources/public/** and /resources/private/** is preferred to having one common root with mixed public and private resource content underneath.

Vulnerable Library - jackson-databind-2.8.1.jar

path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.1/jackson-databind-2.8.1.jar

Library home page: http://github.com/FasterXML/jackson

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.1.jar (Vulnerable Library)

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@e865a7a#diff-98084d808198119d550a9211e128a16f

Release Date: 2017-12-12

Fix Resolution: Replace or update the following files: IllegalTypesCheckTest.java, VERSION, BeanDeserializerFactory.java

Vulnerable Library - commons-codec-1.10.jar

path: /root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar

Library home page: http://commons.apache.org/proper/commons-codec/

Dependency Hierarchy:

• spring-security-oauth2-2.0.10.RELEASE.jar (Root Library)
  • ❌ commons-codec-1.10.jar (Vulnerable Library)

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Vulnerable Library - spring-core-4.3.2.RELEASE.jar

path: /root/.m2/repository/org/springframework/spring-core/4.3.2.RELEASE/spring-core-4.3.2.RELEASE.jar

Dependency Hierarchy:

• spring-security-oauth2-2.0.10.RELEASE.jar (Root Library)
  • ❌ spring-core-4.3.2.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-1272

Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.5 4.3.x users should upgrade to 4.3.15 There are no other mitigation steps necessary.

Vulnerable Library - tomcat-embed-core-8.5.4.jar

path: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.4.0.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)

Vulnerability Details

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Publish Date: 2017-08-11

URL: CVE-2017-7674

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1480618

Fix Resolution: Upgrade to version tomcat 7.0.79, tomcat 8.0.45, tomcat 8.5.16 or greater