📂 Vulnerable Library - spring-boot-starter-web-2.6.1.jar
Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-starter-web/2.6.1/145ac0cfb81982608ef0d19e32699c0eeeb3c2ab/spring-boot-starter-web-2.6.1.jar
Partial results (13 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2022-22965 |
🟣 Critical |
9.3 |
High |
94.4% |
spring-beans-5.3.13.jar |
Transitive |
N/A |
❌ |
 Reachable |
| CVE-2020-36518 |
🔴 High |
8.7 |
Not Defined |
< 1% |
jackson-databind-2.13.0.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2021-46877 |
🔴 High |
8.7 |
Not Defined |
< 1% |
jackson-databind-2.13.0.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2022-42003 |
🔴 High |
8.7 |
Not Defined |
< 1% |
jackson-databind-2.13.0.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2022-42004 |
🔴 High |
8.7 |
Not Defined |
< 1% |
jackson-databind-2.13.0.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2022-45143 |
🔴 High |
8.7 |
Not Defined |
< 1% |
tomcat-embed-core-9.0.55.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2023-20860 |
🔴 High |
8.7 |
Not Defined |
63.300003% |
spring-webmvc-5.3.13.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2023-24998 |
🔴 High |
8.7 |
Not Defined |
37.7% |
tomcat-embed-core-9.0.55.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2025-48988 |
🔴 High |
8.7 |
Not Defined |
< 1% |
tomcat-embed-core-9.0.55.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2025-48989 |
🔴 High |
8.7 |
Not Defined |
< 1% |
tomcat-embed-core-9.0.55.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2025-52999 |
🔴 High |
8.7 |
Not Defined |
< 1% |
jackson-core-2.13.0.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2018-1271 |
🔴 High |
8.2 |
Not Defined |
91.2% |
spring-core-5.3.13.jar |
Transitive |
N/A |
❌ |
Reachable |
| CVE-2025-41242 |
🔴 High |
8.2 |
Not Defined |
< 1% |
spring-webmvc-5.3.13.jar |
Transitive |
N/A |
❌ |
Reachable |
Details
🟣CVE-2022-22965
Vulnerable Library - spring-beans-5.3.13.jar
Spring Beans
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.13/1d90c96b287253ec371260c35fbbea719c24bad6/spring-beans-5.3.13.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-webmvc-5.3.13.jar
- spring-context-5.3.13.jar
- ❌ spring-beans-5.3.13.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.SpringApplication (Extension)
-> ❌ org.springframework.beans.CachedIntrospectionResults (Vulnerable Component)
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Converted from WS-2022-0107, on 2022-11-07.
Publish Date: Apr 01, 2022 10:17 PM
URL: CVE-2022-22965
Threat Assessment
Exploit Maturity:High
EPSS:94.4%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-36p3-wjmg-h94x
Release Date: Apr 01, 2022 10:17 PM
Fix Resolution : org.springframework:spring-webflux:5.2.20.RELEASE,org.springframework:spring-webflux:5.3.18,org.springframework:spring-webmvc:5.3.18,org.springframework:spring-webmvc:5.2.20.RELEASE,org.springframework:spring-beans:5.2.20.RELEASE,org.springframework.boot:spring-boot-starter-webflux:2.5.12,org.springframework.boot:spring-boot-starter-webflux:2.6.6,org.springframework:spring-beans:5.3.18,org.springframework.boot:spring-boot-starter-web:2.5.12,org.springframework.boot:spring-boot-starter-web:2.6.6
🔴CVE-2020-36518
Vulnerable Library - jackson-databind-2.13.0.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-boot-starter-json-2.6.1.jar
- ❌ jackson-databind-2.13.0.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
- org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
- org.springframework.boot.context.properties.bind.Binder (Extension)
- org.springframework.boot.context.config.ConfigDataEnvironmentContributors$InactiveSourceChecker (Extension)
- org.springframework.boot.context.config.ConfigDataEnvironmentContributors (Extension)
- org.springframework.boot.ConfigurableBootstrapContext (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer$WebEnvironmentPropertySourceInitializer (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer (Extension)
- org.springframework.boot.context.logging.LoggingApplicationListener (Extension)
- org.springframework.boot.web.reactive.filter.OrderedHiddenHttpMethodFilter (Extension)
- org.springframework.web.filter.reactive.HiddenHttpMethodFilter (Extension)
- org.springframework.web.server.ServerWebExchangeDecorator (Extension)
- org.springframework.web.context.support.XmlWebApplicationContext (Extension)
- org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
- org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
- org.springframework.test.web.servlet.setup.StubWebApplicationContext$StubBeanFactory (Extension)
- org.springframework.test.context.testng.AbstractTestNGSpringContextTests (Extension)
- org.springframework.test.context.web.ServletTestExecutionListener (Extension)
- org.springframework.test.web.servlet.htmlunit.HtmlUnitRequestBuilder$HtmlUnitMockHttpServletRequest (Extension)
- org.springframework.test.web.servlet.htmlunit.HtmlUnitRequestBuilder (Extension)
- org.springframework.test.web.servlet.htmlunit.MockMvcWebConnection (Extension)
- org.springframework.test.web.servlet.client.MockMvcWebTestClient$1 (Extension)
- org.springframework.test.web.servlet.client.MockMvcWebTestClient (Extension)
- org.springframework.test.web.servlet.client.StandaloneMockMvcSpec (Extension)
- org.springframework.test.web.servlet.setup.StandaloneMockMvcBuilder (Extension)
- org.springframework.web.servlet.resource.ResourceUrlProvider (Extension)
- org.springframework.web.servlet.resource.ResourceHttpRequestHandler (Extension)
- org.springframework.http.converter.ResourceHttpMessageConverter (Extension)
- org.springframework.http.converter.FormHttpMessageConverter$MultipartHttpOutputMessage (Extension)
- org.springframework.http.converter.support.AllEncompassingFormHttpMessageConverter (Extension)
- org.springframework.http.converter.xml.MappingJackson2XmlHttpMessageConverter (Extension)
- org.springframework.http.converter.json.Jackson2ObjectMapperBuilder (Extension)
- com.fasterxml.jackson.databind.JsonSerializer (Extension)
- com.fasterxml.jackson.databind.ser.VirtualBeanPropertyWriter (Extension)
- com.fasterxml.jackson.databind.ser.std.StdKeySerializers$StringKeySerializer (Extension)
- com.fasterxml.jackson.databind.deser.impl.MergingSettableBeanProperty (Extension)
-> ❌ com.fasterxml.jackson.databind.deser.std.UntypedObjectDeserializer$Vanilla (Vulnerable Component)
Vulnerability Details
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: Mar 11, 2022 12:00 AM
URL: CVE-2020-36518
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-57j2-w4cx-62h2
Release Date: Mar 11, 2022 12:00 AM
Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.13.2.1,com.fasterxml.jackson.core:jackson-databind:2.12.6.1
🔴CVE-2021-46877
Vulnerable Library - jackson-databind-2.13.0.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-boot-starter-json-2.6.1.jar
- ❌ jackson-databind-2.13.0.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
- org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
- org.springframework.boot.context.properties.bind.Binder (Extension)
- org.springframework.boot.context.properties.ConfigurationPropertiesBinder$ConfigurationPropertiesBindHandler (Extension)
- org.springframework.boot.context.properties.ConfigurationPropertiesBinder (Extension)
- org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext (Extension)
- org.springframework.web.context.support.GenericWebApplicationContext (Extension)
- org.springframework.web.filter.FormContentFilter (Extension)
- org.springframework.http.converter.support.AllEncompassingFormHttpMessageConverter (Extension)
- org.springframework.http.converter.json.MappingJackson2HttpMessageConverter (Extension)
- org.springframework.http.converter.json.Jackson2ObjectMapperBuilder (Extension)
- com.fasterxml.jackson.databind.jsontype.TypeResolverBuilder (Extension)
- com.fasterxml.jackson.databind.type.CollectionType (Extension)
- com.fasterxml.jackson.databind.util.TokenBuffer (Extension)
- com.fasterxml.jackson.databind.node.BaseJsonNode (Extension)
-> ❌ com.fasterxml.jackson.databind.node.NodeSerialization (Vulnerable Component)
Vulnerability Details
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Publish Date: Mar 18, 2023 12:00 AM
URL: CVE-2021-46877
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3x8x-79m2-3w2w
Release Date: Mar 18, 2023 12:00 AM
Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.12.6,com.fasterxml.jackson.core:jackson-databind:2.13.1
🔴CVE-2022-42003
Vulnerable Library - jackson-databind-2.13.0.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-boot-starter-json-2.6.1.jar
- ❌ jackson-databind-2.13.0.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.SpringApplication (Extension)
- org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory (Extension)
- org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
- org.springframework.test.web.servlet.setup.StubWebApplicationContext$StubBeanFactory (Extension)
- org.springframework.test.context.junit4.AbstractTransactionalJUnit4SpringContextTests (Extension)
- org.springframework.http.converter.ResourceHttpMessageConverter$2 (Extension)
- org.springframework.http.converter.ResourceHttpMessageConverter (Extension)
- org.springframework.http.converter.AbstractHttpMessageConverter$1 (Extension)
- org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter (Extension)
- com.fasterxml.jackson.databind.ObjectMapper (Extension)
-> ❌ com.fasterxml.jackson.databind.deser.std.StdDeserializer (Vulnerable Component)
Vulnerability Details
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. For 2.13.4.x, the vulnerability is fixed in 2.13.4.1. A micro-patch was added in 2.13.4.2 to address issues for Gradle users.
Publish Date: Oct 02, 2022 12:00 AM
URL: CVE-2022-42003
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-jjjh-jjxp-wpff
Release Date: Oct 02, 2022 12:00 AM
Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.13.4.2,com.fasterxml.jackson.core:jackson-databind:2.12.7.1
🔴CVE-2022-42004
Vulnerable Library - jackson-databind-2.13.0.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-boot-starter-json-2.6.1.jar
- ❌ jackson-databind-2.13.0.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.SpringApplication (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer$WebEnvironmentPropertySourceInitializer (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer (Extension)
- org.springframework.boot.context.logging.LoggingApplicationListener (Extension)
- org.springframework.boot.logging.log4j2.Log4J2LoggingSystem (Extension)
- org.apache.logging.log4j.core.config.Configuration (Extension)
- org.apache.logging.log4j.core.appender.mom.kafka.KafkaAppender (Extension)
- org.apache.logging.log4j.core.layout.SerializedLayout (Extension)
- org.apache.logging.log4j.core.layout.AbstractLayout (Extension)
- org.apache.logging.log4j.core.layout.AbstractJacksonLayout$Builder (Extension)
- org.apache.logging.log4j.core.layout.AbstractJacksonLayout (Extension)
- com.fasterxml.jackson.databind.ObjectWriter (Extension)
- com.fasterxml.jackson.databind.jsonFormatVisitors.JsonFormatVisitorWrapper$Base (Extension)
- com.fasterxml.jackson.databind.jsonFormatVisitors.JsonObjectFormatVisitor (Extension)
- com.fasterxml.jackson.databind.deser.impl.MergingSettableBeanProperty (Extension)
-> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializer (Vulnerable Component)
Vulnerability Details
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Publish Date: Oct 02, 2022 12:00 AM
URL: CVE-2022-42004
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-rgv9-q543-rqg4
Release Date: Oct 02, 2022 12:00 AM
Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.12.7.1,com.fasterxml.jackson.core:jackson-databind:2.13.4
🔴CVE-2022-45143
Vulnerable Library - tomcat-embed-core-9.0.55.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-boot-starter-tomcat-2.6.1.jar
- tomcat-embed-websocket-9.0.55.jar
- ❌ tomcat-embed-core-9.0.55.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
- org.springframework.context.annotation.ComponentScan (Extension)
- org.springframework.context.annotation.ScopeMetadataResolver (Extension)
- org.springframework.beans.factory.config.BeanDefinition (Extension)
- org.springframework.beans.factory.xml.XmlBeanFactory (Extension)
- org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
- org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod$ConcurrentResultMethodParameter (Extension)
- org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod (Extension)
- org.springframework.web.method.support.InvocableHandlerMethod (Extension)
- org.springframework.web.method.annotation.InitBinderDataBinderFactory (Extension)
- org.springframework.web.bind.support.WebExchangeDataBinder (Extension)
- org.springframework.http.server.reactive.TomcatHttpHandlerAdapter$TomcatServerHttpRequest (Extension)
- org.apache.catalina.connector.RequestFacade (Extension)
- org.apache.catalina.connector.Connector (Extension)
- org.apache.catalina.core.AprLifecycleListener (Extension)
-> ❌ org.apache.catalina.valves.JsonErrorReportValve (Vulnerable Component)
Vulnerability Details
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. After conducting further research, Mend has determined that versions 10.0.x of org.apache.tomcat:tomcat-catalina are vulnerable to CVE-2022-45143.
Publish Date: Jan 03, 2023 06:12 PM
URL: CVE-2022-45143
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-rq2w-37h9-vg94
Release Date: Jan 03, 2023 06:12 PM
Fix Resolution : org.apache.tomcat.embed:tomcat-embed-core:10.1.2,org.apache.tomcat.embed:tomcat-embed-core:9.0.69,org.apache.tomcat:tomcat-util:8.5.84,org.apache.tomcat:tomcat-util:9.0.69,org.apache.tomcat:tomcat-catalina:10.1.2,org.apache.tomcat.embed:tomcat-embed-core:8.5.84
🔴CVE-2023-20860
Vulnerable Library - spring-webmvc-5.3.13.jar
Spring Web MVC
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/5.3.13/cea31c85fa84dbd9f8df14a3ca62ab57c25cabe4/spring-webmvc-5.3.13.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- ❌ spring-webmvc-5.3.13.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.SpringApplication (Extension)
- org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory (Extension)
- org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
- org.springframework.test.web.servlet.setup.StubWebApplicationContext$StubBeanFactory (Extension)
- org.springframework.test.context.junit4.AbstractTransactionalJUnit4SpringContextTests (Extension)
- org.springframework.web.servlet.function.ResourceHandlerFunction$HeadMethodResource (Extension)
- org.springframework.web.servlet.function.ResourceHandlerFunction (Extension)
- org.springframework.web.servlet.function.DefaultEntityResponseBuilder$CompletionStageEntityResponse (Extension)
- org.springframework.web.servlet.mvc.method.annotation.AbstractMessageConverterMethodProcessor$1 (Extension)
- org.springframework.web.servlet.mvc.method.annotation.AbstractMessageConverterMethodProcessor (Extension)
-> ❌ org.springframework.web.servlet.handler.PathPatternMatchableHandlerMapping (Vulnerable Component)
Vulnerability Details
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
Publish Date: Mar 27, 2023 12:00 AM
URL: CVE-2023-20860
Threat Assessment
Exploit Maturity:Not Defined
EPSS:63.300003%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2023-24998
Vulnerable Library - tomcat-embed-core-9.0.55.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-boot-starter-tomcat-2.6.1.jar
- tomcat-embed-websocket-9.0.55.jar
- ❌ tomcat-embed-core-9.0.55.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
- org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
- org.springframework.boot.context.properties.bind.Binder (Extension)
- org.springframework.boot.context.properties.ConfigurationPropertiesBinder$ConfigurationPropertiesBindHandler (Extension)
- org.springframework.boot.context.properties.ConfigurationPropertiesBinder (Extension)
- org.springframework.boot.context.properties.ConfigurationPropertiesJsr303Validator (Extension)
- org.springframework.boot.context.properties.ConfigurationPropertiesJsr303Validator$Delegate (Extension)
- org.springframework.validation.beanvalidation.LocalValidatorFactoryBean (Extension)
- org.springframework.context.support.GenericApplicationContext (Extension)
- org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
- org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
- org.springframework.web.method.annotation.ModelAttributeMethodProcessor$FieldAwareConstructorParameter (Extension)
- org.springframework.web.method.annotation.ModelAttributeMethodProcessor (Extension)
- org.springframework.web.bind.support.WebDataBinderFactory (Extension)
- org.springframework.web.bind.support.WebExchangeDataBinder (Extension)
- org.springframework.web.server.DefaultServerWebExchangeBuilder$MutativeDecorator (Extension)
- org.springframework.http.server.reactive.TomcatHttpHandlerAdapter$TomcatServerHttpResponse (Extension)
- org.apache.coyote.Response (Extension)
- org.apache.coyote.http2.Http2OutputBuffer (Extension)
- org.apache.coyote.http2.Stream (Extension)
- org.apache.coyote.http2.Stream$StreamInputBuffer (Extension)
- org.apache.coyote.http11.Http11InputBuffer (Extension)
- org.apache.tomcat.util.net.Nio2Endpoint$Nio2SocketWrapper (Extension)
- org.apache.coyote.http2.Http2AsyncParser$PrefaceCompletionHandler (Extension)
- org.apache.tomcat.util.net.AprEndpoint (Extension)
- org.apache.catalina.mbeans.JmxRemoteLifecycleListener (Extension)
- org.apache.catalina.realm.RealmBase (Extension)
- org.apache.catalina.connector.Request (Extension)
-> ❌ org.apache.tomcat.util.http.ServerCookie (Vulnerable Component)
Vulnerability Details
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: Feb 20, 2023 03:57 PM
URL: CVE-2023-24998
Threat Assessment
Exploit Maturity:Not Defined
EPSS:37.7%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hfrx-6qgj-fp6c
Release Date: Feb 20, 2023 03:57 PM
Fix Resolution : commons-fileupload:commons-fileupload:1.5,org.apache.tomcat.embed:tomcat-embed-core:9.0.71,org.apache.tomcat:tomcat-coyote:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:10.1.5,org.apache.tomcat.embed:tomcat-embed-core:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:8.5.88,org.apache.tomcat:tomcat-coyote:8.5.88,org.apache.tomcat:tomcat-coyote:10.1.5,org.apache.tomcat:tomcat-coyote:9.0.71
🔴CVE-2025-48988
Vulnerable Library - tomcat-embed-core-9.0.55.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-boot-starter-tomcat-2.6.1.jar
- tomcat-embed-websocket-9.0.55.jar
- ❌ tomcat-embed-core-9.0.55.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.SpringApplication (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer$WebEnvironmentPropertySourceInitializer (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer (Extension)
- org.springframework.boot.context.logging.LoggingApplicationListener (Extension)
- org.springframework.boot.web.reactive.filter.OrderedWebFilter (Extension)
- org.springframework.web.server.WebFilter (Extension)
- org.springframework.web.server.ServerWebExchangeDecorator (Extension)
- org.springframework.http.server.reactive.TomcatHttpHandlerAdapter$TomcatServerHttpResponse (Extension)
- org.apache.catalina.connector.Response (Extension)
- org.apache.catalina.manager.DummyProxySession (Extension)
- org.apache.catalina.authenticator.SingleSignOnListener (Extension)
- org.apache.catalina.authenticator.NonLoginAuthenticator (Extension)
- org.apache.catalina.core.ThreadLocalLeakPreventionListener (Extension)
- org.apache.catalina.Server (Extension)
- org.apache.catalina.deploy.NamingResourcesImpl (Extension)
- org.apache.catalina.mbeans.MBeanUtils (Extension)
-> ❌ org.apache.catalina.users.DataSourceUserDatabase (Vulnerable Component)
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 16, 2025 02:13 PM
URL: CVE-2025-48988
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-48989
Vulnerable Library - tomcat-embed-core-9.0.55.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-boot-starter-tomcat-2.6.1.jar
- tomcat-embed-websocket-9.0.55.jar
- ❌ tomcat-embed-core-9.0.55.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
- org.springframework.context.annotation.ComponentScan (Extension)
- org.springframework.context.annotation.AnnotationScopeMetadataResolver (Extension)
- org.springframework.beans.factory.annotation.AnnotatedBeanDefinition (Extension)
- org.springframework.beans.MutablePropertyValues (Extension)
- org.springframework.beans.PropertyValue (Extension)
- org.springframework.beans.factory.support.AbstractBeanDefinition (Extension)
- org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory (Extension)
- org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
- org.springframework.web.method.annotation.ModelAttributeMethodProcessor$FieldAwareConstructorParameter (Extension)
- org.springframework.web.method.annotation.ModelAttributeMethodProcessor (Extension)
- org.springframework.web.bind.support.WebDataBinderFactory (Extension)
- org.springframework.web.bind.support.WebExchangeDataBinder (Extension)
- org.springframework.http.server.reactive.TomcatHttpHandlerAdapter$TomcatServerHttpRequest (Extension)
- org.apache.catalina.connector.CoyoteInputStream (Extension)
- org.apache.catalina.connector.InputBuffer (Extension)
- org.apache.coyote.AbstractProtocol$RecycledProcessors (Extension)
- org.apache.coyote.AbstractProtocol (Extension)
- org.apache.coyote.http11.upgrade.UpgradeProcessorExternal (Extension)
- org.apache.coyote.http11.upgrade.UpgradeServletInputStream (Extension)
- org.apache.catalina.Context (Extension)
- org.apache.catalina.authenticator.AuthenticatorBase (Extension)
- org.apache.catalina.filters.CorsFilter (Extension)
-> ❌ org.apache.catalina.filters.CorsFilter$CORSRequestType (Vulnerable Component)
Vulnerability Details
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Publish Date: Aug 13, 2025 12:11 PM
URL: CVE-2025-48989
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-52999
Vulnerable Library - jackson-core-2.13.0.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.13.0/e957ec5442966e69cef543927bdc80e5426968bb/jackson-core-2.13.0.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- spring-boot-starter-json-2.6.1.jar
- jackson-databind-2.13.0.jar
- ❌ jackson-core-2.13.0.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.SpringApplication (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer$WebEnvironmentPropertySourceInitializer (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer (Extension)
- org.springframework.boot.context.logging.LoggingApplicationListener (Extension)
- org.springframework.boot.web.servlet.filter.OrderedFormContentFilter (Extension)
- org.springframework.web.filter.FormContentFilter (Extension)
- org.springframework.http.converter.support.AllEncompassingFormHttpMessageConverter (Extension)
- org.springframework.http.converter.xml.MappingJackson2XmlHttpMessageConverter (Extension)
- org.springframework.http.converter.json.AbstractJackson2HttpMessageConverter (Extension)
- com.fasterxml.jackson.databind.ser.FilterProvider (Extension)
- com.fasterxml.jackson.databind.ser.impl.SimpleBeanPropertyFilter (Extension)
- com.fasterxml.jackson.databind.util.TokenBuffer (Extension)
-> ❌ com.fasterxml.jackson.core.JsonStreamContext (Vulnerable Component)
Vulnerability Details
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Publish Date: Jun 25, 2025 05:02 PM
URL: CVE-2025-52999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2018-1271
Vulnerable Library - spring-core-5.3.13.jar
Spring Core
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.13/d2a6c3372dd337e08144f9f49f386b8ec7a8080d/spring-core-5.3.13.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
- org.springframework.boot.autoconfigure.AutoConfigurationPackage (Extension)
- org.springframework.boot.autoconfigure.AutoConfigurationPackages (Extension)
- org.springframework.boot.autoconfigure.AutoConfigurationPackages$BasePackagesBeanDefinition (Extension)
- org.springframework.beans.factory.support.GenericBeanDefinition (Extension)
- org.springframework.beans.factory.support.AbstractBeanDefinition (Extension)
- org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory (Extension)
- org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
- org.springframework.context.support.GenericApplicationContext$ClassDerivedBeanDefinition (Extension)
- org.springframework.context.support.GenericApplicationContext (Extension)
- org.springframework.context.support.AbstractApplicationContext (Extension)
- org.springframework.scripting.support.ScriptFactoryPostProcessor (Extension)
- org.springframework.aop.framework.ProxyFactory (Extension)
- org.springframework.aop.framework.CglibAopProxy (Extension)
- org.springframework.cglib.proxy.Enhancer (Extension)
-> ❌ org.springframework.cglib.proxy.CallbackInfo (Vulnerable Component)
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Publish Date: Apr 06, 2018 01:00 PM
URL: CVE-2018-1271
Threat Assessment
Exploit Maturity:Not Defined
EPSS:91.2%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271
Release Date: Apr 06, 2018 01:00 PM
Fix Resolution : org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE
🔴CVE-2025-41242
Vulnerable Library - spring-webmvc-5.3.13.jar
Spring Web MVC
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/5.3.13/cea31c85fa84dbd9f8df14a3ca62ab57c25cabe4/spring-webmvc-5.3.13.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.6.1.jar (Root Library)
- ❌ spring-webmvc-5.3.13.jar (Vulnerable Library)
Reachability Analysis
This vulnerability is potentially reachable:
- fr.christophetd.log4shell.vulnerableapp.VulnerableAppApplication (Application)
- org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
- org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
- org.springframework.boot.context.properties.bind.Binder (Extension)
- org.springframework.boot.context.config.ConfigDataEnvironmentContributors$InactiveSourceChecker (Extension)
- org.springframework.boot.context.config.ConfigDataEnvironmentContributors (Extension)
- org.springframework.boot.ConfigurableBootstrapContext (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer$WebEnvironmentPropertySourceInitializer (Extension)
- org.springframework.boot.web.servlet.support.SpringBootServletInitializer (Extension)
- org.springframework.boot.ApplicationContextFactory (Extension)
- org.springframework.boot.web.reactive.context.AnnotationConfigReactiveWebServerApplicationContext (Extension)
- org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
- org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
- org.springframework.test.web.servlet.setup.StubWebApplicationContext$StubBeanFactory (Extension)
- org.springframework.test.context.junit4.AbstractTransactionalJUnit4SpringContextTests (Extension)
- org.springframework.web.servlet.function.ResourceHandlerFunction$HeadMethodResource (Extension)
- org.springframework.web.servlet.function.ResourceHandlerFunction (Extension)
-> ❌ org.springframework.web.servlet.function.DefaultEntityResponseBuilder$PublisherEntityResponse (Vulnerable Component)
Vulnerability Details
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
Publish Date: Aug 18, 2025 08:47 AM
URL: CVE-2025-41242
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
📂 Vulnerable Library - spring-boot-starter-web-2.6.1.jar
Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-starter-web/2.6.1/145ac0cfb81982608ef0d19e32699c0eeeb3c2ab/spring-boot-starter-web-2.6.1.jar
Findings
Details
🟣CVE-2022-22965
Vulnerable Library - spring-beans-5.3.13.jar
Spring Beans
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.13/1d90c96b287253ec371260c35fbbea719c24bad6/spring-beans-5.3.13.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Converted from WS-2022-0107, on 2022-11-07.
Publish Date: Apr 01, 2022 10:17 PM
URL: CVE-2022-22965
Threat Assessment
Exploit Maturity:High
EPSS:94.4%
Score: 9.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-36p3-wjmg-h94x
Release Date: Apr 01, 2022 10:17 PM
Fix Resolution : org.springframework:spring-webflux:5.2.20.RELEASE,org.springframework:spring-webflux:5.3.18,org.springframework:spring-webmvc:5.3.18,org.springframework:spring-webmvc:5.2.20.RELEASE,org.springframework:spring-beans:5.2.20.RELEASE,org.springframework.boot:spring-boot-starter-webflux:2.5.12,org.springframework.boot:spring-boot-starter-webflux:2.6.6,org.springframework:spring-beans:5.3.18,org.springframework.boot:spring-boot-starter-web:2.5.12,org.springframework.boot:spring-boot-starter-web:2.6.6
🔴CVE-2020-36518
Vulnerable Library - jackson-databind-2.13.0.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: Mar 11, 2022 12:00 AM
URL: CVE-2020-36518
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-57j2-w4cx-62h2
Release Date: Mar 11, 2022 12:00 AM
Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.13.2.1,com.fasterxml.jackson.core:jackson-databind:2.12.6.1
🔴CVE-2021-46877
Vulnerable Library - jackson-databind-2.13.0.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
Publish Date: Mar 18, 2023 12:00 AM
URL: CVE-2021-46877
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-3x8x-79m2-3w2w
Release Date: Mar 18, 2023 12:00 AM
Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.12.6,com.fasterxml.jackson.core:jackson-databind:2.13.1
🔴CVE-2022-42003
Vulnerable Library - jackson-databind-2.13.0.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. For 2.13.4.x, the vulnerability is fixed in 2.13.4.1. A micro-patch was added in 2.13.4.2 to address issues for Gradle users.
Publish Date: Oct 02, 2022 12:00 AM
URL: CVE-2022-42003
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-jjjh-jjxp-wpff
Release Date: Oct 02, 2022 12:00 AM
Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.13.4.2,com.fasterxml.jackson.core:jackson-databind:2.12.7.1
🔴CVE-2022-42004
Vulnerable Library - jackson-databind-2.13.0.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Publish Date: Oct 02, 2022 12:00 AM
URL: CVE-2022-42004
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-rgv9-q543-rqg4
Release Date: Oct 02, 2022 12:00 AM
Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.12.7.1,com.fasterxml.jackson.core:jackson-databind:2.13.4
🔴CVE-2022-45143
Vulnerable Library - tomcat-embed-core-9.0.55.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. After conducting further research, Mend has determined that versions 10.0.x of org.apache.tomcat:tomcat-catalina are vulnerable to CVE-2022-45143.
Publish Date: Jan 03, 2023 06:12 PM
URL: CVE-2022-45143
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-rq2w-37h9-vg94
Release Date: Jan 03, 2023 06:12 PM
Fix Resolution : org.apache.tomcat.embed:tomcat-embed-core:10.1.2,org.apache.tomcat.embed:tomcat-embed-core:9.0.69,org.apache.tomcat:tomcat-util:8.5.84,org.apache.tomcat:tomcat-util:9.0.69,org.apache.tomcat:tomcat-catalina:10.1.2,org.apache.tomcat.embed:tomcat-embed-core:8.5.84
🔴CVE-2023-20860
Vulnerable Library - spring-webmvc-5.3.13.jar
Spring Web MVC
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/5.3.13/cea31c85fa84dbd9f8df14a3ca62ab57c25cabe4/spring-webmvc-5.3.13.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
Publish Date: Mar 27, 2023 12:00 AM
URL: CVE-2023-20860
Threat Assessment
Exploit Maturity:Not Defined
EPSS:63.300003%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2023-24998
Vulnerable Library - tomcat-embed-core-9.0.55.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: Feb 20, 2023 03:57 PM
URL: CVE-2023-24998
Threat Assessment
Exploit Maturity:Not Defined
EPSS:37.7%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-hfrx-6qgj-fp6c
Release Date: Feb 20, 2023 03:57 PM
Fix Resolution : commons-fileupload:commons-fileupload:1.5,org.apache.tomcat.embed:tomcat-embed-core:9.0.71,org.apache.tomcat:tomcat-coyote:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:10.1.5,org.apache.tomcat.embed:tomcat-embed-core:11.0.0-M5,org.apache.tomcat.embed:tomcat-embed-core:8.5.88,org.apache.tomcat:tomcat-coyote:8.5.88,org.apache.tomcat:tomcat-coyote:10.1.5,org.apache.tomcat:tomcat-coyote:9.0.71
🔴CVE-2025-48988
Vulnerable Library - tomcat-embed-core-9.0.55.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 16, 2025 02:13 PM
URL: CVE-2025-48988
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-48989
Vulnerable Library - tomcat-embed-core-9.0.55.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Publish Date: Aug 13, 2025 12:11 PM
URL: CVE-2025-48989
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2025-52999
Vulnerable Library - jackson-core-2.13.0.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: http://fasterxml.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.13.0/e957ec5442966e69cef543927bdc80e5426968bb/jackson-core-2.13.0.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.
Publish Date: Jun 25, 2025 05:02 PM
URL: CVE-2025-52999
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2018-1271
Vulnerable Library - spring-core-5.3.13.jar
Spring Core
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.13/d2a6c3372dd337e08144f9f49f386b8ec7a8080d/spring-core-5.3.13.jar
Dependency Hierarchy:
spring-boot-starter-web-2.6.1.jar (Root Library)
spring-boot-starter-test-2.6.1.jar (Root Library)
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Publish Date: Apr 06, 2018 01:00 PM
URL: CVE-2018-1271
Threat Assessment
Exploit Maturity:Not Defined
EPSS:91.2%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271
Release Date: Apr 06, 2018 01:00 PM
Fix Resolution : org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE
🔴CVE-2025-41242
Vulnerable Library - spring-webmvc-5.3.13.jar
Spring Web MVC
Library home page: https://spring.io/projects/spring-framework
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/5.3.13/cea31c85fa84dbd9f8df14a3ca62ab57c25cabe4/spring-webmvc-5.3.13.jar
Dependency Hierarchy:
Reachability Analysis
This vulnerability is potentially reachable:
Vulnerability Details
Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:
We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application.
Publish Date: Aug 18, 2025 08:47 AM
URL: CVE-2025-41242
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.2
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :