Skip to content

spring-boot-starter-web-2.3.1.RELEASE.jar: 39 vulnerabilities (highest severity is: 9.3) [main] (reachable) #60

Open
Open
spring-boot-starter-web-2.3.1.RELEASE.jar: 39 vulnerabilities (highest severity is: 9.3) [main] (reachable)#60
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 28, 2025
📂 Vulnerable Library - spring-boot-starter-web-2.3.1.RELEASE.jar

Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-starter-web/2.3.1.RELEASE/spring-boot-starter-web-2.3.1.RELEASE.jar

Partial results (24 findings) are displayed below due to a content size limitation in GitHub. To view information on the remaining findings, navigate to the Mend Application.

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2016-1000027 🟣 Critical 9.3 Not Defined 59.2% spring-web-5.2.7.RELEASE.jar Transitive N/A Unreachable
CVE-2020-5421 🟣 Critical 9.3 Not Defined 63.800003% spring-web-5.2.7.RELEASE.jar Transitive N/A Reachable
CVE-2022-22965 🟣 Critical 9.3 High 94.4% spring-beans-5.2.7.RELEASE.jar Transitive N/A Reachable
CVE-2020-13935 🔴 High 8.7 Not Defined 91.7% tomcat-embed-websocket-9.0.36.jar Transitive N/A Unreachable
CVE-2021-46877 🔴 High 8.7 Not Defined < 1% jackson-databind-2.11.0.jar Transitive N/A Reachable
CVE-2022-25857 🔴 High 8.7 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A Reachable
CVE-2022-42003 🔴 High 8.7 Not Defined < 1% jackson-databind-2.11.0.jar Transitive N/A Reachable
CVE-2022-42004 🔴 High 8.7 Not Defined < 1% jackson-databind-2.11.0.jar Transitive N/A Reachable
CVE-2023-20883 🔴 High 8.7 Not Defined < 1% spring-boot-autoconfigure-2.3.1.RELEASE.jar Transitive N/A Unreachable
CVE-2025-52999 🔴 High 8.7 Not Defined < 1% jackson-core-2.11.0.jar Transitive N/A Reachable
CVE-2021-22118 🔴 High 8.5 Not Defined < 1% spring-web-5.2.7.RELEASE.jar Transitive N/A Reachable
CVE-2018-1196 🔴 High 8.2 Not Defined < 1% spring-boot-2.3.1.RELEASE.jar Transitive N/A
CVE-2018-1271 🔴 High 8.2 Not Defined 91.2% spring-core-5.2.7.RELEASE.jar Transitive N/A
CVE-2023-6378 🔴 High 8.2 Not Defined < 1% logback-core-1.2.3.jar Transitive N/A
CVE-2021-42550 🔴 High 7.5 Not Defined 4.3% logback-core-1.2.3.jar Transitive N/A Reachable
CVE-2021-42550 🔴 High 7.5 Not Defined 4.3% logback-classic-1.2.3.jar Transitive N/A Reachable
CVE-2022-1471 🔴 High 7.4 Functional 93.8% snakeyaml-1.26.jar Transitive N/A Reachable
CVE-2018-1257 🔴 High 7.1 Not Defined 1.8% spring-core-5.2.7.RELEASE.jar Transitive N/A
CVE-2022-22950 🔴 High 7.1 Not Defined 4.1% spring-expression-5.2.7.RELEASE.jar Transitive N/A Reachable
CVE-2022-38749 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A Reachable
CVE-2022-38750 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A Reachable
CVE-2022-38751 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A Reachable
CVE-2022-38752 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A Reachable
CVE-2023-20861 🔴 High 7.1 Not Defined < 1% spring-expression-5.2.7.RELEASE.jar Transitive N/A Reachable

Details

🟣CVE-2016-1000027

Vulnerable Library - spring-web-5.2.7.RELEASE.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.7.RELEASE/spring-web-5.2.7.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.3.1.RELEASE.jar
      • spring-web-5.2.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: Jan 02, 2020 12:00 AM

URL: CVE-2016-1000027

Threat Assessment

Exploit Maturity:Not Defined

EPSS:59.2%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-4wrc-f8pq-fpqp

Release Date: Jan 02, 2020 12:00 AM

Fix Resolution : org.springframework:spring-web:6.0.0

🟣CVE-2020-5421

Vulnerable Library - spring-web-5.2.7.RELEASE.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.7.RELEASE/spring-web-5.2.7.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.3.1.RELEASE.jar
      • spring-web-5.2.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.controller.UserController (Application)
    - org.springframework.validation.support.BindingAwareModelMap (Extension)
        - org.springframework.validation.BindException (Extension)
            - org.springframework.validation.DataBinder (Extension)
                - org.springframework.validation.beanvalidation.OptionalValidatorFactoryBean (Extension)
                    - org.springframework.context.support.GenericApplicationContext (Extension)
                        - org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
                            - org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
                                - org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod$ConcurrentResultMethodParameter (Extension)
                                    - org.springframework.web.servlet.mvc.method.annotation.ReactiveTypeHandler (Extension)
                                        - org.springframework.web.accept.ContentNegotiationManager (Extension)
                                            - org.springframework.web.accept.PathExtensionContentNegotiationStrategy (Extension)
                                                -> ❌ org.springframework.web.util.UrlPathHelper (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Publish Date: Sep 19, 2020 03:45 AM

URL: CVE-2020-5421

Threat Assessment

Exploit Maturity:Not Defined

EPSS:63.800003%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2020-5421

Release Date: Sep 19, 2020 03:45 AM

Fix Resolution : org.springframework:spring-web:4.3.29,5.0.19,5.1.18,5.2.9

🟣CVE-2022-22965

Vulnerable Library - spring-beans-5.2.7.RELEASE.jar

Spring Beans

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.2.7.RELEASE/spring-beans-5.2.7.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-2.3.1.RELEASE.jar
        • spring-context-5.2.7.RELEASE.jar
          • spring-aop-5.2.7.RELEASE.jar
            • spring-beans-5.2.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.SpringApplication (Extension)
        -> ❌ org.springframework.beans.CachedIntrospectionResults (Vulnerable Component)

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Converted from WS-2022-0107, on 2022-11-07.

Publish Date: Apr 01, 2022 10:17 PM

URL: CVE-2022-22965

Threat Assessment

Exploit Maturity:High

EPSS:94.4%

Score: 9.3

Suggested Fix

Type: Upgrade version

Origin: GHSA-36p3-wjmg-h94x

Release Date: Apr 01, 2022 10:17 PM

Fix Resolution : org.springframework:spring-webflux:5.2.20.RELEASE,org.springframework:spring-webflux:5.3.18,org.springframework:spring-webmvc:5.3.18,org.springframework:spring-webmvc:5.2.20.RELEASE,org.springframework:spring-beans:5.2.20.RELEASE,org.springframework.boot:spring-boot-starter-webflux:2.5.12,org.springframework.boot:spring-boot-starter-webflux:2.6.6,org.springframework:spring-beans:5.3.18,org.springframework.boot:spring-boot-starter-web:2.5.12,org.springframework.boot:spring-boot-starter-web:2.6.6

🔴CVE-2020-13935

Vulnerable Library - tomcat-embed-websocket-9.0.36.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/9.0.36/tomcat-embed-websocket-9.0.36.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-tomcat-2.3.1.RELEASE.jar
      • tomcat-embed-websocket-9.0.36.jar (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Publish Date: Jul 14, 2020 03:00 PM

URL: CVE-2020-13935

Threat Assessment

Exploit Maturity:Not Defined

EPSS:91.7%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2021-46877

Vulnerable Library - jackson-databind-2.11.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.3.1.RELEASE.jar
      • jackson-databind-2.11.0.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.web.servlet.support.SpringBootServletInitializer (Extension)
        - org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext (Extension)
            - org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext (Extension)
                - org.springframework.web.context.support.GenericWebApplicationContext (Extension)
                    - org.springframework.web.filter.FormContentFilter (Extension)
                        - org.springframework.http.converter.FormHttpMessageConverter (Extension)
                            - org.springframework.http.converter.StringHttpMessageConverter (Extension)
                                - org.springframework.http.converter.AbstractHttpMessageConverter$1 (Extension)
                                    - org.springframework.http.converter.cbor.MappingJackson2CborHttpMessageConverter (Extension)
                                        - org.springframework.http.converter.json.Jackson2ObjectMapperBuilder (Extension)
                                            - com.fasterxml.jackson.databind.JsonDeserializer (Extension)
                                                - com.fasterxml.jackson.databind.deser.impl.FieldProperty (Extension)
                                                    - com.fasterxml.jackson.databind.introspect.AnnotationIntrospectorPair (Extension)
                                                        - com.fasterxml.jackson.databind.ser.std.StdKeySerializers$StringKeySerializer (Extension)
                                                            - com.fasterxml.jackson.databind.node.ObjectNode (Extension)
                                                                - com.fasterxml.jackson.databind.node.BaseJsonNode (Extension)
                                                                    -> ❌ com.fasterxml.jackson.databind.node.NodeSerialization (Vulnerable Component)

Vulnerability Details

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

Publish Date: Mar 18, 2023 12:00 AM

URL: CVE-2021-46877

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-3x8x-79m2-3w2w

Release Date: Mar 18, 2023 12:00 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.12.6,com.fasterxml.jackson.core:jackson-databind:2.13.1

🔴CVE-2022-25857

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • snakeyaml-1.26.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
        - org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
            - org.springframework.beans.factory.config.ConfigurableListableBeanFactory (Extension)
                - org.springframework.beans.factory.support.DefaultListableBeanFactory$1 (Extension)
                    - org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
                        - org.springframework.beans.factory.config.YamlMapFactoryBean (Extension)
                            - org.springframework.beans.factory.config.YamlProcessor (Extension)
                                -> ❌ org.yaml.snakeyaml.LoaderOptions (Vulnerable Component)

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: Aug 30, 2022 05:05 AM

URL: CVE-2022-25857

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-3mc7-4q67-w48m

Release Date: Aug 30, 2022 05:05 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-42003

Vulnerable Library - jackson-databind-2.11.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.3.1.RELEASE.jar
      • jackson-databind-2.11.0.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.SpringApplication (Extension)
        - org.springframework.web.context.support.StandardServletEnvironment (Extension)
            - org.springframework.web.context.support.WebApplicationContextUtils (Extension)
                - org.springframework.web.context.support.AbstractRefreshableWebApplicationContext (Extension)
                    - org.springframework.web.filter.HttpPutFormContentFilter (Extension)
                        - org.springframework.http.converter.support.AllEncompassingFormHttpMessageConverter (Extension)
                            - org.springframework.http.converter.json.MappingJackson2HttpMessageConverter (Extension)
                                - com.fasterxml.jackson.databind.JavaType (Extension)
                                    - com.fasterxml.jackson.databind.type.TypeFactory (Extension)
                                        - com.fasterxml.jackson.databind.node.BaseJsonNode (Extension)
                                            - com.fasterxml.jackson.databind.exc.IgnoredPropertyException (Extension)
                                                - com.fasterxml.jackson.databind.deser.DefaultDeserializationContext (Extension)
                                                    -> ❌ com.fasterxml.jackson.databind.deser.std.StdDeserializer (Vulnerable Component)

Vulnerability Details

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. For 2.13.4.x, the vulnerability is fixed in 2.13.4.1. A micro-patch was added in 2.13.4.2 to address issues for Gradle users.

Publish Date: Oct 02, 2022 12:00 AM

URL: CVE-2022-42003

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-jjjh-jjxp-wpff

Release Date: Oct 02, 2022 12:00 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.13.4.2,com.fasterxml.jackson.core:jackson-databind:2.12.7.1

🔴CVE-2022-42004

Vulnerable Library - jackson-databind-2.11.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.11.0/jackson-databind-2.11.0.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.3.1.RELEASE.jar
      • jackson-databind-2.11.0.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.SpringApplication (Extension)
        - org.springframework.boot.cloud.CloudFoundryVcapEnvironmentPostProcessor (Extension)
            - org.springframework.boot.json.JsonParserFactory (Extension)
                - org.springframework.boot.json.JacksonJsonParser (Extension)
                    - com.fasterxml.jackson.databind.ObjectMapper (Extension)
                        -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializer (Vulnerable Component)

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: Oct 02, 2022 12:00 AM

URL: CVE-2022-42004

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-rgv9-q543-rqg4

Release Date: Oct 02, 2022 12:00 AM

Fix Resolution : com.fasterxml.jackson.core:jackson-databind:2.12.7.1,com.fasterxml.jackson.core:jackson-databind:2.13.4

🔴CVE-2023-20883

Vulnerable Library - spring-boot-autoconfigure-2.3.1.RELEASE.jar

Spring Boot AutoConfigure

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-autoconfigure/2.3.1.RELEASE/spring-boot-autoconfigure-2.3.1.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-autoconfigure-2.3.1.RELEASE.jar (Vulnerable Library)

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.

Publish Date: May 26, 2023 12:00 AM

URL: CVE-2023-20883

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-xf96-w227-r7c4

Release Date: May 26, 2023 12:00 AM

Fix Resolution : org.springframework.boot:spring-boot-autoconfigure:2.6.15,org.springframework.boot:spring-boot-autoconfigure:3.0.7,org.springframework.boot:spring-boot-autoconfigure:2.5.15,org.springframework.boot:spring-boot-autoconfigure:2.7.12

🔴CVE-2025-52999

Vulnerable Library - jackson-core-2.11.0.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: http://fasterxml.com/

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.11.0/jackson-core-2.11.0.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.3.1.RELEASE.jar
      • jackson-databind-2.11.0.jar
        • jackson-core-2.11.0.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.web.servlet.support.SpringBootServletInitializer (Extension)
        - org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext (Extension)
            - org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext (Extension)
                - org.springframework.web.context.support.GenericWebApplicationContext (Extension)
                    - org.springframework.web.filter.HttpPutFormContentFilter (Extension)
                        - org.springframework.http.converter.support.AllEncompassingFormHttpMessageConverter (Extension)
                            - org.springframework.http.converter.AbstractHttpMessageConverter$1 (Extension)
                                - org.springframework.http.converter.cbor.MappingJackson2CborHttpMessageConverter (Extension)
                                    - com.fasterxml.jackson.core.JsonFactory (Extension)
                                        - com.fasterxml.jackson.core.JsonParseException (Extension)
                                            -> ❌ com.fasterxml.jackson.core.base.ParserBase (Vulnerable Component)

Vulnerability Details

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Publish Date: Jun 25, 2025 05:02 PM

URL: CVE-2025-52999

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🔴CVE-2021-22118

Vulnerable Library - spring-web-5.2.7.RELEASE.jar

Spring Web

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.2.7.RELEASE/spring-web-5.2.7.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-json-2.3.1.RELEASE.jar
      • spring-web-5.2.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.builder.SpringApplicationBuilder (Extension)
        - org.springframework.beans.factory.support.BeanNameGenerator (Extension)
            - org.springframework.beans.factory.config.BeanDefinition (Extension)
                - org.springframework.beans.factory.xml.XmlBeanFactory (Extension)
                    - org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
                        - org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod$ConcurrentResultMethodParameter (Extension)
                            - org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod (Extension)
                                - org.springframework.web.method.support.InvocableHandlerMethod (Extension)
                                    - org.springframework.web.bind.support.WebDataBinderFactory (Extension)
                                        - org.springframework.web.bind.support.WebExchangeDataBinder (Extension)
                                            - org.springframework.web.server.DefaultServerWebExchangeBuilder$MutativeDecorator (Extension)
                                                - org.springframework.http.codec.multipart.SynchronossPartHttpMessageReader$AbstractSynchronossPart (Extension)
                                                    -> ❌ org.springframework.http.codec.multipart.SynchronossPartHttpMessageReader (Vulnerable Component)

Vulnerability Details

In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

Publish Date: May 27, 2021 02:48 PM

URL: CVE-2021-22118

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-gfwj-fwqj-fp3v

Release Date: May 27, 2021 02:48 PM

Fix Resolution : org.springframework:spring-web:5.3.7

🔴CVE-2018-1196

Vulnerable Library - spring-boot-2.3.1.RELEASE.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/2.3.1.RELEASE/spring-boot-2.3.1.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-2.3.1.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

Publish Date: Mar 19, 2018 06:00 PM

URL: CVE-2018-1196

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1196

Release Date: Mar 19, 2018 06:00 PM

Fix Resolution : 1.5.10.RELEASE

🔴CVE-2018-1271

Vulnerable Library - spring-core-5.2.7.RELEASE.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.2.7.RELEASE/spring-core-5.2.7.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-2.3.1.RELEASE.jar
        • spring-core-5.2.7.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Publish Date: Apr 06, 2018 01:00 PM

URL: CVE-2018-1271

Threat Assessment

Exploit Maturity:Not Defined

EPSS:91.2%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271

Release Date: Apr 06, 2018 01:00 PM

Fix Resolution : org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE

🔴CVE-2023-6378

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-starter-logging-2.3.1.RELEASE.jar
        • logback-classic-1.2.3.jar
          • logback-core-1.2.3.jar (Vulnerable Library)

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: Nov 29, 2023 12:02 PM

URL: CVE-2023-6378

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-vmq6-5m68-f53m

Release Date: Nov 29, 2023 12:02 PM

Fix Resolution : ch.qos.logback:logback-core:1.2.13,ch.qos.logback:logback-classic:1.3.12,ch.qos.logback:logback-core:1.4.12,ch.qos.logback:logback-core:1.3.12,ch.qos.logback:logback-classic:1.4.12,ch.qos.logback:logback-classic:1.2.13

🔴CVE-2021-42550

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-starter-logging-2.3.1.RELEASE.jar
        • logback-classic-1.2.3.jar
          • logback-core-1.2.3.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.controller.UserController (Application)
    - org.springframework.validation.support.BindingAwareModelMap (Extension)
        - org.springframework.validation.DirectFieldBindingResult (Extension)
            - org.springframework.beans.ConfigurablePropertyAccessor (Extension)
                - org.springframework.beans.PropertyValue (Extension)
                    - org.springframework.beans.factory.support.AbstractBeanDefinition (Extension)
                        - org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory (Extension)
                            - org.springframework.beans.factory.annotation.QualifierAnnotationAutowireCandidateResolver (Extension)
                                - org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod$ConcurrentResultMethodParameter (Extension)
                                    - org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod (Extension)
                                        - org.springframework.web.method.support.InvocableHandlerMethod (Extension)
                                            - org.springframework.web.context.request.FacesWebRequest (Extension)
                                                - org.springframework.web.context.request.FacesRequestAttributes (Extension)
                                                    - org.apache.commons.logging.LogFactory (Extension)
                                                        - org.apache.commons.logging.LogAdapter (Extension)
                                                            - org.apache.commons.logging.LogAdapter$Slf4jAdapter (Extension)
                                                                - org.slf4j.LoggerFactory (Extension)
                                                                    - org.slf4j.impl.StaticLoggerBinder (Extension)
                                                                        - ch.qos.logback.classic.util.ContextInitializer (Extension)
                                                                            -> ❌ ch.qos.logback.core.util.OptionHelper (Vulnerable Component)

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.

Publish Date: Dec 16, 2021 12:00 AM

URL: CVE-2021-42550

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.3%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-668q-qrv7-99fm

Release Date: Dec 16, 2021 12:00 AM

Fix Resolution : ch.qos.logback:logback-core:1.2.9

🔴CVE-2021-42550

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-starter-logging-2.3.1.RELEASE.jar
        • logback-classic-1.2.3.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.controller.UserController (Application)
    - org.springframework.validation.support.BindingAwareModelMap (Extension)
        - org.springframework.validation.BeanPropertyBindingResult (Extension)
            - org.springframework.beans.PropertyAccessorFactory (Extension)
                - org.springframework.beans.BeanWrapperImpl (Extension)
                    - org.springframework.beans.PropertyEditorRegistrySupport (Extension)
                        - org.springframework.core.io.support.ResourceArrayPropertyEditor (Extension)
                            - org.apache.commons.logging.LogFactory (Extension)
                                - org.apache.commons.logging.LogAdapter (Extension)
                                    - org.apache.commons.logging.LogAdapter$Slf4jAdapter (Extension)
                                        - org.slf4j.LoggerFactory (Extension)
                                            - org.slf4j.impl.StaticLoggerBinder (Extension)
                                                - ch.qos.logback.classic.util.ContextSelectorStaticBinder (Extension)
                                                    -> ❌ ch.qos.logback.classic.selector.ContextJNDISelector (Vulnerable Component)

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.

Publish Date: Dec 16, 2021 12:00 AM

URL: CVE-2021-42550

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.3%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-668q-qrv7-99fm

Release Date: Dec 16, 2021 12:00 AM

Fix Resolution : ch.qos.logback:logback-core:1.2.9

🔴CVE-2022-1471

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • snakeyaml-1.26.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.builder.SpringApplicationBuilder (Extension)
        - org.springframework.context.ApplicationContext (Extension)
            - org.springframework.beans.factory.config.AutowireCapableBeanFactory (Extension)
                - org.springframework.beans.factory.support.DefaultListableBeanFactory$DependencyObjectProvider (Extension)
                    - org.springframework.beans.factory.xml.XmlBeanFactory (Extension)
                        - org.springframework.beans.factory.config.YamlPropertiesFactoryBean (Extension)
                            - org.yaml.snakeyaml.Yaml (Extension)
                                -> ❌ org.yaml.snakeyaml.constructor.CustomClassLoaderConstructor (Vulnerable Component)

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: Dec 01, 2022 10:47 AM

URL: CVE-2022-1471

Threat Assessment

Exploit Maturity:Functional

EPSS:93.8%

Score: 7.4

Suggested Fix

Type: Upgrade version

Origin: GHSA-mjmj-j48q-9wg2

Release Date: Dec 01, 2022 10:47 AM

Fix Resolution : org.yaml:snakeyaml:2.0

🔴CVE-2018-1257

Vulnerable Library - spring-core-5.2.7.RELEASE.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.2.7.RELEASE/spring-core-5.2.7.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-2.3.1.RELEASE.jar
        • spring-core-5.2.7.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Publish Date: May 11, 2018 08:00 PM

URL: CVE-2018-1257

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.8%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1257

Release Date: May 11, 2018 08:00 PM

Fix Resolution : 5.0.6,4.3.17

🔴CVE-2022-22950

Vulnerable Library - spring-expression-5.2.7.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.7.RELEASE/spring-expression-5.2.7.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-2.3.1.RELEASE.jar
        • spring-context-5.2.7.RELEASE.jar
          • spring-expression-5.2.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.web.servlet.support.SpringBootServletInitializer (Extension)
        - org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext (Extension)
            - org.springframework.context.annotation.AnnotationConfigUtils (Extension)
                - org.springframework.context.event.EventListenerMethodProcessor (Extension)
                    - org.springframework.context.event.EventExpressionEvaluator (Extension)
                        - org.springframework.expression.spel.standard.SpelExpressionParser (Extension)
                            - org.springframework.expression.spel.standard.InternalSpelExpressionParser (Extension)
                                -> ❌ org.springframework.expression.spel.ast.ConstructorReference (Vulnerable Component)

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: Apr 01, 2022 10:17 PM

URL: CVE-2022-22950

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-558x-2xjg-6232

Release Date: Apr 01, 2022 10:17 PM

Fix Resolution : org.springframework:spring-expression:5.2.20.RELEASE,org.springframework:spring-expression:5.3.17

🔴CVE-2022-38749

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • snakeyaml-1.26.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
        - org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
            - org.springframework.beans.factory.config.ConfigurableListableBeanFactory (Extension)
                - org.springframework.beans.factory.support.DefaultListableBeanFactory$1 (Extension)
                    - org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
                        - org.springframework.beans.factory.config.YamlMapFactoryBean (Extension)
                            - org.springframework.beans.factory.config.YamlProcessor (Extension)
                                -> ❌ org.yaml.snakeyaml.LoaderOptions (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38749

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-c4r9-r8fh-9vj2

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-38750

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • snakeyaml-1.26.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
        - org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
            - org.springframework.beans.factory.config.ConfigurableListableBeanFactory (Extension)
                - org.springframework.beans.factory.support.DefaultListableBeanFactory$StreamDependencyDescriptor (Extension)
                    - org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
                        - org.springframework.beans.factory.config.YamlPropertiesFactoryBean (Extension)
                            - org.yaml.snakeyaml.Yaml (Extension)
                                -> ❌ org.yaml.snakeyaml.composer.Composer (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38750

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-hhhw-99gj-p3c3

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-38751

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • snakeyaml-1.26.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
        - org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
            - org.springframework.beans.factory.config.ConfigurableListableBeanFactory (Extension)
                - org.springframework.beans.factory.support.DefaultListableBeanFactory$StreamDependencyDescriptor (Extension)
                    - org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
                        - org.springframework.beans.factory.config.YamlPropertiesFactoryBean (Extension)
                            - org.yaml.snakeyaml.Yaml (Extension)
                                -> ❌ org.yaml.snakeyaml.composer.Composer (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38751

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-98wm-3w3q-mw94

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-38752

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • snakeyaml-1.26.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.builder.SpringApplicationBuilder (Extension)
        - org.springframework.beans.factory.support.BeanNameGenerator (Extension)
            - org.springframework.beans.factory.config.BeanDefinition (Extension)
                - org.springframework.beans.factory.support.DefaultListableBeanFactory (Extension)
                    - org.springframework.beans.factory.config.YamlPropertiesFactoryBean (Extension)
                        - org.yaml.snakeyaml.Yaml (Extension)
                            -> ❌ org.yaml.snakeyaml.reader.StreamReader (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38752

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.32

🔴CVE-2023-20861

Vulnerable Library - spring-expression-5.2.7.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /app/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.7.RELEASE/spring-expression-5.2.7.RELEASE.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.3.1.RELEASE.jar (Root Library)
    • spring-boot-starter-2.3.1.RELEASE.jar
      • spring-boot-2.3.1.RELEASE.jar
        • spring-context-5.2.7.RELEASE.jar
          • spring-expression-5.2.7.RELEASE.jar (Vulnerable Library)

Reachability Analysis

This vulnerability is potentially reachable:

- com.veracode.verademo.Application (Application)
    - org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
        - org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
            - org.springframework.boot.context.properties.bind.Binder (Extension)
                - org.springframework.boot.context.properties.bind.validation.ValidationBindHandler (Extension)
                    - org.springframework.boot.context.properties.bind.validation.ValidationBindHandler$ValidationResult (Extension)
                        - org.springframework.validation.AbstractBindingResult (Extension)
                            - org.springframework.validation.beanvalidation.SpringValidatorAdapter$ViolationFieldError (Extension)
                                - org.springframework.validation.beanvalidation.LocalValidatorFactoryBean (Extension)
                                    - org.springframework.context.support.FileSystemXmlApplicationContext (Extension)
                                        - org.springframework.context.event.ApplicationListenerMethodAdapter (Extension)
                                            - org.springframework.context.event.EventExpressionEvaluator (Extension)
                                                - org.springframework.context.expression.MethodBasedEvaluationContext (Extension)
                                                    - org.springframework.expression.spel.support.StandardEvaluationContext (Extension)
                                                        - org.springframework.expression.spel.support.StandardTypeConverter (Extension)
                                                            -> ❌ org.springframework.expression.spel.SpelMessage (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: Mar 23, 2023 12:00 AM

URL: CVE-2023-20861

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-564r-hj7v-mcr5

Release Date: Mar 23, 2023 12:00 AM

Fix Resolution : org.springframework:spring-expression:5.3.26,org.springframework:spring-expression:6.0.7,org.springframework:spring-expression:5.2.23.RELEASE

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions