Skip to content

ksa-finance-web-3.9.2.pom: 27 vulnerabilities (highest severity is: 10.0) reachable #52

Open
Open
ksa-finance-web-3.9.2.pom: 27 vulnerabilities (highest severity is: 10.0) reachable#52
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@dev-mend-for-github-com

Description

@dev-mend-for-github-com
dev-mend-for-github-com
bot
opened on Jan 8, 2025
Vulnerable Library - ksa-finance-web-3.9.2.pom

Path to dependency file: /ksa-web-root/ksa-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (ksa-finance-web version) Remediation Possible** Reachability
CVE-2022-22965 Critical 10.0 spring-beans-3.1.1.RELEASE.jar Transitive N/A*

Reachable
CVE-459065-580824 Critical 9.8 commons-beanutils-1.8.3.jar Transitive N/A*

Reachable
CVE-31589-137056 Critical 9.8 xwork-core-2.3.31.jar Transitive N/A*

Reachable
CVE-2016-1000031 Critical 9.8 commons-fileupload-1.2.2.jar Transitive N/A*

Reachable
CVE-2022-23305 Critical 9.6 log4j-1.2.16.jar Transitive N/A*

Reachable
WS-2014-0034 High 7.5 commons-fileupload-1.2.2.jar Transitive N/A*

Reachable
CVE-2023-26464 High 7.5 log4j-1.2.16.jar Transitive N/A*

Reachable
CVE-2023-24998 High 7.5 commons-fileupload-1.2.2.jar Transitive N/A*

Reachable
CVE-2017-9804 High 7.5 xwork-core-2.3.31.jar Transitive N/A*

Reachable
CVE-2017-9787 High 7.5 xwork-core-2.3.31.jar Transitive N/A*

Reachable
CVE-2016-3092 High 7.5 commons-fileupload-1.2.2.jar Transitive N/A*

Reachable
CVE-2019-10086 High 7.3 commons-beanutils-1.8.3.jar Transitive N/A*

Reachable
CVE-2014-0114 High 7.3 commons-beanutils-1.8.3.jar Transitive N/A*

Reachable
CVE-2014-0050 High 7.3 commons-fileupload-1.2.2.jar Transitive N/A*

Reachable
CVE-2013-2186 High 7.3 commons-fileupload-1.2.2.jar Transitive N/A*

Reachable
CVE-2023-20863 Medium 6.5 spring-expression-3.1.1.RELEASE.jar Transitive N/A*

Reachable
CVE-2023-20861 Medium 6.5 spring-expression-3.1.1.RELEASE.jar Transitive N/A*

Reachable
CVE-2022-22950 Medium 6.5 spring-expression-3.1.1.RELEASE.jar Transitive N/A*

Reachable
WS-2021-0174 Medium 5.3 spring-beans-3.1.1.RELEASE.jar Transitive N/A*

Reachable
CVE-2021-29425 Medium 4.7 commons-io-2.1.jar Transitive N/A*

Reachable
CVE-2013-0248 Medium 4.0 commons-fileupload-1.2.2.jar Transitive N/A*

Reachable
CVE-2020-9488 Low 3.7 log4j-1.2.16.jar Transitive N/A*

Reachable
CVE-2020-9493 Critical 9.8 log4j-1.2.16.jar Transitive N/A*

Unreachable
CVE-2019-17571 Critical 9.8 log4j-1.2.16.jar Transitive N/A*

Unreachable
CVE-2022-23307 High 8.8 log4j-1.2.16.jar Transitive N/A*

Unreachable
CVE-2022-23302 High 8.8 log4j-1.2.16.jar Transitive N/A*

Unreachable
CVE-2002-2010 Low 3.7 commons-codec-1.5.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-22965

Vulnerable Library - spring-beans-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-bd-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-finance-service-3.9.2.pom
      • ksa-finance-dao-3.9.2.pom
        • ksa-bd-dao-3.9.2.pom
          • ksa-core-3.9.2.pom
            • spring-context-3.1.1.RELEASE.jar
              • spring-aop-3.1.1.RELEASE.jar
                • spring-beans-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.dao.MybatisDaoTest (Application)
  -> org.springframework.context.support.ClassPathXmlApplicationContext (Extension)
   -> org.springframework.beans.factory.config.ConfigurableListableBeanFactory (Extension)
    -> org.springframework.beans.support.ResourceEditorRegistrar (Extension)
     -> ❌ org.springframework.beans.propertyeditors.InputStreamEditor (Vulnerable Component)

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

CVE-459065-580824

Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: http://commons.apache.org/beanutils/

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • ksa-security-service-3.9.2.pom
          • shiro-core-1.2.0.jar
            • commons-beanutils-1.8.3.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.context.web.RuntimeConfiguration (Application)
  -> org.apache.commons.configuration.PropertiesConfiguration (Extension)
   -> org.apache.commons.configuration.MultiFileHierarchicalConfiguration (Extension)
    -> org.apache.commons.beanutils.BeanUtils (Extension)
     -> org.apache.commons.beanutils.BeanUtilsBean (Extension)
      -> ❌ org.apache.commons.beanutils.converters.ByteConverter (Vulnerable Component)

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-459065-580824

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-31589-137056

Vulnerable Library - xwork-core-2.3.31.jar

Apache Struts 2

Library home page: http://struts.apache.org/xwork-core/

Path to dependency file: /ksa-web-root/ksa-bd-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • struts2-core-2.3.31.jar
          • xwork-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.web.struts2.action.logistics.bookingnote.BookingNoteQueryAction (Application)
  -> com.opensymphony.xwork2.ActionContext (Extension)
   -> com.opensymphony.xwork2.mock.MockActionInvocation (Extension)
    -> com.opensymphony.xwork2.DefaultActionProxy (Extension)
     -> com.opensymphony.xwork2.ObjectFactory (Extension)
      -> com.opensymphony.xwork2.config.entities.InterceptorConfig (Extension)
       -> ❌ com.opensymphony.xwork2.config.entities.InterceptorConfig$Builder (Vulnerable Component)

Vulnerability Details

Created automatically by the test suite

Publish Date: 2010-06-07

URL: CVE-31589-137056

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2016-1000031

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/fileupload/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • struts2-core-2.3.31.jar
          • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.context.web.SpringServiceContextListener (Application)
  -> org.springframework.web.context.ContextLoader (Extension)
   -> org.springframework.web.context.support.WebApplicationContextUtils (Extension)
    -> org.springframework.web.context.support.StaticWebApplicationContext (Extension)
     -> org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
      -> org.springframework.web.multipart.commons.CommonsMultipartFile (Extension)
       -> ❌ org.apache.commons.fileupload.disk.DiskFileItem (Vulnerable Component)

Vulnerability Details

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

Publish Date: 2016-10-25

URL: CVE-2016-1000031

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031

Release Date: 2016-10-25

Fix Resolution: 1.3.3

CVE-2022-23305

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • slf4j-log4j12-1.6.1.jar
          • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.apache.log4j.jdbc.JDBCAppender (Application)
  -> org.apache.log4j.Logger (Extension)
   -> org.slf4j.impl.Log4jLoggerFactory (Extension)
    -> freemarker.log.SLF4JLoggerFactory (Extension)
    ...
      -> freemarker.ext.dom.ElementModel (Extension)
       -> freemarker.template.Template (Extension)
        -> ❌ com.ksa.freemarker.TemplateTest (Vulnerable Component)

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

WS-2014-0034

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/fileupload/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • struts2-core-2.3.31.jar
          • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.context.web.SpringServiceContextListener (Application)
  -> org.springframework.web.context.ContextLoader (Extension)
   -> org.springframework.web.context.support.WebApplicationContextUtils (Extension)
    -> org.springframework.web.context.support.GenericWebApplicationContext (Extension)
     -> org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
      -> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)

Vulnerability Details

The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.

Publish Date: 2014-02-17

URL: WS-2014-0034

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2014-02-17

Fix Resolution: 1.4

CVE-2023-26464

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org/log4j/1.2/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • slf4j-log4j12-1.6.1.jar
          • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.apache.log4j.lf5.viewer.LogFactor5InputDialog$3 (Application)
  -> org.apache.log4j.lf5.viewer.LogFactor5InputDialog (Extension)
   -> org.apache.log4j.lf5.viewer.LogBrokerMonitor (Extension)
    -> freemarker.log.CommonsLoggingLoggerFactory$CommonsLoggingLogger (Extension)
    ...
      -> freemarker.core.NonUserDefinedDirectiveLikeException (Extension)
       -> freemarker.template.Template (Extension)
        -> ❌ com.ksa.freemarker.TemplateTest (Vulnerable Component)

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-10

URL: CVE-2023-26464

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vp98-w2p3-mv35

Release Date: 2023-03-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

CVE-2023-24998

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/fileupload/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • struts2-core-2.3.31.jar
          • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.context.web.SpringServiceContextListener (Application)
  -> org.springframework.web.context.ContextLoader (Extension)
   -> org.springframework.web.context.support.WebApplicationContextUtils (Extension)
    -> org.springframework.web.context.support.GenericWebApplicationContext (Extension)
     -> org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
      -> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)

Vulnerability Details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.

Publish Date: 2023-02-20

URL: CVE-2023-24998

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-10.html

Release Date: 2023-02-20

Fix Resolution: commons-fileupload:commons-fileupload:1.5;org.apache.tomcat:tomcat-coyote:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat.embed:tomcat-embed-core:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-util:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-catalina:8.5.85,9.0.71,10.1.5,11.0.0-M3

CVE-2017-9804

Vulnerable Library - xwork-core-2.3.31.jar

Apache Struts 2

Library home page: http://struts.apache.org/xwork-core/

Path to dependency file: /ksa-web-root/ksa-bd-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • struts2-core-2.3.31.jar
          • xwork-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.web.struts2.views.freemarker.ShiroFreemarkerManager (Application)
  -> org.apache.struts2.views.freemarker.FreemarkerManager (Extension)
   -> org.apache.struts2.views.DefaultTagLibrary (Extension)
    -> org.apache.struts2.views.velocity.components.SubmitDirective (Extension)
     -> ❌ org.apache.struts2.components.Submit (Vulnerable Component)

Vulnerability Details

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.

Publish Date: 2017-09-05

URL: CVE-2017-9804

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-09-05

Fix Resolution: org.apache.struts:struts2-core:2.3.34,org.apache.struts:struts2-core:2.5.13

CVE-2017-9787

Vulnerable Library - xwork-core-2.3.31.jar

Apache Struts 2

Library home page: http://struts.apache.org/xwork-core/

Path to dependency file: /ksa-web-root/ksa-bd-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • struts2-core-2.3.31.jar
          • xwork-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.web.struts2.views.freemarker.ShiroFreemarkerManager (Application)
  -> org.apache.struts2.views.freemarker.FreemarkerManager (Extension)
   -> org.apache.struts2.views.DefaultTagLibrary (Extension)
    -> org.apache.struts2.components.Component (Extension)
    ...
      -> org.apache.struts2.dispatcher.Dispatcher (Extension)
       -> org.apache.struts2.interceptor.DateTextFieldInterceptor (Extension)
        -> ❌ org.apache.struts2.interceptor.DateTextFieldInterceptor$DateWord (Vulnerable Component)

Vulnerability Details

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

Publish Date: 2017-07-13

URL: CVE-2017-9787

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-07-13

Fix Resolution: org.apache.struts:struts2-core:2.3.33,org.apache.struts:struts2-core:2.5.12

CVE-2016-3092

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/fileupload/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • struts2-core-2.3.31.jar
          • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.context.web.SpringServiceContextListener (Application)
  -> org.springframework.web.context.ContextLoader (Extension)
   -> org.springframework.web.context.support.WebApplicationContextUtils (Extension)
    -> org.springframework.web.context.support.StaticWebApplicationContext (Extension)
    ...
      -> org.apache.commons.fileupload.FileUploadBase (Extension)
       -> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl (Extension)
        -> ❌ org.apache.commons.fileupload.MultipartStream (Vulnerable Component)

Vulnerability Details

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Publish Date: 2016-07-04

URL: CVE-2016-3092

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092

Release Date: 2016-07-04

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M8,8.5.3,8.0.36,7.0.70,org.apache.tomcat:tomcat-coyote:9.0.0.M8,8.5.3,8.0.36,7.0.70,commons-fileupload:commons-fileupload:1.3.2

CVE-2019-10086

Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: http://commons.apache.org/beanutils/

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • ksa-security-service-3.9.2.pom
          • shiro-core-1.2.0.jar
            • commons-beanutils-1.8.3.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.context.web.RuntimeConfiguration (Application)
  -> org.apache.commons.configuration.PropertiesConfiguration (Extension)
   -> org.apache.commons.configuration.DefaultConfigurationBuilder (Extension)
    -> org.apache.commons.configuration.beanutils.BeanHelper (Extension)
     -> org.apache.commons.beanutils.PropertyUtils (Extension)
      -> ❌ org.apache.commons.beanutils.PropertyUtilsBean (Vulnerable Component)

Vulnerability Details

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Publish Date: 2019-08-20

URL: CVE-2019-10086

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-20

Fix Resolution: commons-beanutils:commons-beanutils:1.9.4

CVE-2014-0114

Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: http://commons.apache.org/beanutils/

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • ksa-security-service-3.9.2.pom
          • shiro-core-1.2.0.jar
            • commons-beanutils-1.8.3.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.context.web.RuntimeConfiguration (Application)
  -> org.apache.commons.configuration.PropertiesConfiguration (Extension)
   -> org.apache.commons.configuration.DefaultConfigurationBuilder (Extension)
    -> org.apache.commons.configuration.beanutils.BeanHelper (Extension)
     -> org.apache.commons.beanutils.PropertyUtils (Extension)
      -> ❌ org.apache.commons.beanutils.PropertyUtilsBean (Vulnerable Component)

Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Release Date: 2014-04-30

Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5

CVE-2014-0050

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/fileupload/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • struts2-core-2.3.31.jar
          • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.context.web.SpringServiceContextListener (Application)
  -> org.springframework.web.context.ContextLoader (Extension)
   -> org.springframework.web.context.support.WebApplicationContextUtils (Extension)
    -> org.springframework.web.context.support.StaticWebApplicationContext (Extension)
    ...
      -> org.apache.commons.fileupload.FileUploadBase (Extension)
       -> org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl (Extension)
        -> ❌ org.apache.commons.fileupload.MultipartStream (Vulnerable Component)

Vulnerability Details

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

Publish Date: 2014-03-28

URL: CVE-2014-0050

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050

Release Date: 2014-03-28

Fix Resolution: 1.3.2

CVE-2013-2186

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: http://commons.apache.org/fileupload/

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-logistics-web-3.9.2.pom
      • ksa-security-web-3.9.2.pom
        • struts2-core-2.3.31.jar
          • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.context.web.SpringServiceContextListener (Application)
  -> org.springframework.web.context.ContextLoader (Extension)
   -> org.springframework.web.context.support.WebApplicationContextUtils (Extension)
    -> org.springframework.web.context.support.GenericWebApplicationContext (Extension)
     -> org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
      -> org.apache.commons.fileupload.FileUploadBase (Extension)
       -> ❌ org.apache.commons.fileupload.servlet.ServletRequestContext (Vulnerable Component)

Vulnerability Details

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

Publish Date: 2013-10-28

URL: CVE-2013-2186

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186

Release Date: 2013-10-28

Fix Resolution: commons-fileupload:commons-fileupload:1.3.1

CVE-2023-20863

Vulnerable Library - spring-expression-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-root/ksa-finance-dao/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-finance-service-3.9.2.pom
      • ksa-finance-dao-3.9.2.pom
        • ksa-bd-dao-3.9.2.pom
          • ksa-core-3.9.2.pom
            • spring-context-3.1.1.RELEASE.jar
              • spring-expression-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.dao.MybatisDaoTest (Application)
  -> org.springframework.context.support.ClassPathXmlApplicationContext (Extension)
   -> org.springframework.context.support.AbstractXmlApplicationContext (Extension)
    -> org.springframework.context.support.AbstractRefreshableApplicationContext (Extension)
    ...
      -> org.springframework.context.expression.StandardBeanExpressionResolver (Extension)
       -> org.springframework.expression.spel.standard.SpelExpressionParser (Extension)
        -> ❌ org.springframework.expression.spel.standard.InternalSpelExpressionParser (Vulnerable Component)

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution: org.springframework:spring-expression - 5.2.24.RELEASE,5.3.27,6.0.8

CVE-2023-20861

Vulnerable Library - spring-expression-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-root/ksa-finance-dao/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.pom (Root Library)
    • ksa-finance-service-3.9.2.pom
      • ksa-finance-dao-3.9.2.pom
        • ksa-bd-dao-3.9.2.pom
          • ksa-core-3.9.2.pom
            • spring-context-3.1.1.RELEASE.jar
              • spring-expression-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: f3f88b40d6fb433c739a83504cd0dfad346a4cf2

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.ksa.dao.MybatisDaoTest (Application)
  -> org.springframework.context.support.ClassPathXmlApplicationContext (Extension)
   -> org.springframework.context.support.AbstractXmlApplicationContext (Extension)
    -> org.springframework.context.support.AbstractRefreshableApplicationContext (Extension)
    ...
      -> org.springframework.context.expression.StandardBeanExpressionResolver (Extension)
       -> org.springframework.expression.spel.support.StandardTypeLocator (Extension)
        -> ❌ org.springframework.expression.spel.SpelMessage (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution: org.springframework:spring-expression:x5.2.23.RELEASE,5.3.26,6.0.7

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions