Skip to content

spring-boot-starter-web-2.6.1.jar: 31 vulnerabilities (highest severity is: 9.8) #4

Open
Open
spring-boot-starter-web-2.6.1.jar: 31 vulnerabilities (highest severity is: 9.8)#4
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@staging-whitesource-for-github-com

Description

@staging-whitesource-for-github-com
staging-whitesource-for-github-com
bot
opened on Jan 21, 2025
Vulnerable Library - spring-boot-starter-web-2.6.1.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.13.0/e957ec5442966e69cef543927bdc80e5426968bb/jackson-core-2.13.0.jar

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (spring-boot-starter-web version) Remediation Possible** Reachability
CVE-2022-22965 Critical 9.8 detected in multiple dependencies Transitive N/A*
CVE-2025-55754 Critical 9.6 tomcat-embed-core-9.0.55.jar Transitive 3.0.0
CVE-2022-1471 High 8.3 snakeyaml-1.29.jar Transitive N/A*
CVE-2025-55752 High 7.5 tomcat-embed-core-9.0.55.jar Transitive 3.0.0
CVE-2025-52999 High 7.5 jackson-core-2.13.0.jar Transitive 3.1.0
CVE-2025-48989 High 7.5 tomcat-embed-core-9.0.55.jar Transitive N/A*
CVE-2025-48988 High 7.5 tomcat-embed-core-9.0.55.jar Transitive N/A*
CVE-2022-42252 High 7.5 tomcat-embed-core-9.0.55.jar Transitive N/A*
CVE-2022-42004 High 7.5 jackson-databind-2.13.0.jar Transitive N/A*
CVE-2022-42003 High 7.5 jackson-databind-2.13.0.jar Transitive N/A*
CVE-2020-36518 High 7.5 jackson-databind-2.13.0.jar Transitive N/A*
CVE-2022-23181 High 7.0 tomcat-embed-core-9.0.55.jar Transitive 2.6.4
CVE-2021-42550 Medium 6.6 logback-classic-1.2.7.jar Transitive N/A*
CVE-2025-49125 Medium 6.5 tomcat-embed-core-9.0.55.jar Transitive N/A*
CVE-2022-38750 Medium 6.5 snakeyaml-1.29.jar Transitive N/A*
CVE-2022-22950 Medium 6.5 spring-expression-5.3.13.jar Transitive N/A*
CVE-2018-1257 Medium 6.5 spring-core-5.3.13.jar Transitive N/A*
CVE-2025-49124 Medium 6.3 tomcat-embed-core-9.0.55.jar Transitive N/A*
WS-2021-0616 Medium 5.9 jackson-databind-2.13.0.jar Transitive N/A*
CVE-2025-41242 Medium 5.9 spring-webmvc-5.3.13.jar Transitive N/A*
CVE-2018-1271 Medium 5.9 spring-core-5.3.13.jar Transitive N/A*
CVE-2018-1196 Medium 5.9 spring-boot-2.6.1.jar Transitive N/A*
CVE-2025-61795 Medium 5.3 tomcat-embed-core-9.0.55.jar Transitive 3.0.0
CVE-2024-38828 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2024-38809 Medium 5.3 spring-web-5.3.13.jar Transitive N/A*
CVE-2022-22970 Medium 5.3 detected in multiple dependencies Transitive N/A*
CVE-2026-1225 Medium 5.0 logback-core-1.2.7.jar Transitive N/A*
CVE-2021-22060 Medium 4.3 spring-web-5.3.13.jar Transitive N/A*
CVE-2021-43980 Low 3.7 tomcat-embed-core-9.0.55.jar Transitive N/A*
CVE-2025-22233 Low 3.1 spring-context-5.3.13.jar Transitive N/A*
CVE-2024-38820 Low 3.1 spring-web-5.3.13.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-22965

Vulnerable Libraries - spring-webmvc-5.3.13.jar, spring-boot-starter-web-2.6.1.jar, spring-beans-5.3.13.jar

spring-webmvc-5.3.13.jar

Spring Web MVC

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/5.3.13/cea31c85fa84dbd9f8df14a3ca62ab57c25cabe4/spring-webmvc-5.3.13.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-webmvc-5.3.13.jar (Vulnerable Library)

spring-boot-starter-web-2.6.1.jar

Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-starter-web/2.6.1/145ac0cfb81982608ef0d19e32699c0eeeb3c2ab/spring-boot-starter-web-2.6.1.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Vulnerable Library)

spring-beans-5.3.13.jar

Spring Beans

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.3.13/1d90c96b287253ec371260c35fbbea719c24bad6/spring-beans-5.3.13.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-web-5.3.13.jar
      • spring-beans-5.3.13.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

NOTE: The vulnerability originates in the artifact org.springframework:spring-beans. Other artifacts are also associated due to their relation to the CVE's exploitability. See GHSA-36p3-wjmg-h94x
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-55754

Vulnerable Library - tomcat-embed-core-9.0.55.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-tomcat-2.6.1.jar
      • tomcat-embed-core-9.0.55.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

Publish Date: 2025-10-27

URL: CVE-2025-55754

CVSS 3 Score Details (9.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd

Release Date: 2025-10-27

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.109

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-1471

Vulnerable Library - snakeyaml-1.29.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.29/6d0cdafb2010f1297e574656551d7145240f6e25/snakeyaml-1.29.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-2.6.1.jar
      • snakeyaml-1.29.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (8.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mjmj-j48q-9wg2

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

CVE-2025-55752

Vulnerable Library - tomcat-embed-core-9.0.55.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-tomcat-2.6.1.jar
      • tomcat-embed-core-9.0.55.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Relative Path Traversal vulnerability in Apache Tomcat.
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

Publish Date: 2025-10-27

URL: CVE-2025-55752

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-10-27

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.109

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-52999

Vulnerable Library - jackson-core-2.13.0.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: http://fasterxml.com/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.13.0/e957ec5442966e69cef543927bdc80e5426968bb/jackson-core-2.13.0.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-json-2.6.1.jar
      • jackson-datatype-jsr310-2.13.0.jar
        • jackson-core-2.13.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Publish Date: 2025-06-25

URL: CVE-2025-52999

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-25

Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.15.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2025-48989

Vulnerable Library - tomcat-embed-core-9.0.55.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-tomcat-2.6.1.jar
      • tomcat-embed-core-9.0.55.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

Publish Date: 2025-08-13

URL: CVE-2025-48989

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gqp3-2cvr-x8m3

Release Date: 2025-08-13

Fix Resolution: org.apache.tomcat:tomcat-coyote:9.0.108,org.apache.tomcat:tomcat-coyote:11.0.10,org.apache.tomcat:tomcat-coyote:10.1.44,org.apache.tomcat.embed:tomcat-embed-core:11.0.10,org.apache.tomcat.embed:tomcat-embed-core:10.1.44,org.apache.tomcat.embed:tomcat-embed-core:9.0.108

CVE-2025-48988

Vulnerable Library - tomcat-embed-core-9.0.55.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-tomcat-2.6.1.jar
      • tomcat-embed-core-9.0.55.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-16

URL: CVE-2025-48988

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h3gc-qfqq-6h8f

Release Date: 2025-06-16

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:10.1.42,org.apache.tomcat.embed:tomcat-embed-core:11.0.8,org.apache.tomcat:tomcat-catalina:10.1.42,org.apache.tomcat.embed:tomcat-embed-core:9.0.106,org.apache.tomcat:tomcat-catalina:11.0.8,org.apache.tomcat:tomcat-catalina:9.0.106

CVE-2022-42252

Vulnerable Library - tomcat-embed-core-9.0.55.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-tomcat-2.6.1.jar
      • tomcat-embed-core-9.0.55.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Publish Date: 2022-11-01

URL: CVE-2022-42252

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-p22x-g9px-3945

Release Date: 2022-11-01

Fix Resolution: org.apache.tomcat:tomcat-coyote:9.0.68,org.apache.tomcat:tomcat-coyote:10.1.1,org.apache.tomcat.embed:tomcat-embed-core:10.0.27,org.apache.tomcat.embed:tomcat-embed-core:10.1.1,org.apache.tomcat:tomcat-coyote:10.0.27,org.apache.tomcat.embed:tomcat-embed-core:9.0.68,org.apache.tomcat.embed:tomcat-embed-core:8.5.83

CVE-2022-42004

Vulnerable Library - jackson-databind-2.13.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-json-2.6.1.jar
      • jackson-databind-2.13.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.13.4

CVE-2022-42003

Vulnerable Library - jackson-databind-2.13.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-json-2.6.1.jar
      • jackson-databind-2.13.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. For 2.13.4.x, the vulnerability is fixed in 2.13.4.1. A micro-patch was added in 2.13.4.2 to address issues for Gradle users.

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jjjh-jjxp-wpff

Release Date: 2022-10-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.2

CVE-2020-36518

Vulnerable Library - jackson-databind-2.13.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-json-2.6.1.jar
      • jackson-databind-2.13.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-57j2-w4cx-62h2

Release Date: 2022-03-11

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6.1,com.fasterxml.jackson.core:jackson-databind:2.13.2.1

CVE-2022-23181

Vulnerable Library - tomcat-embed-core-9.0.55.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-tomcat-2.6.1.jar
      • tomcat-embed-core-9.0.55.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

Publish Date: 2022-01-27

URL: CVE-2022-23181

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/l8x62p3k19yfcb208jo4zrb83k5mfwg9

Release Date: 2022-01-27

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.58

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-42550

Vulnerable Library - logback-classic-1.2.7.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.2.7/3e89a85545181f1a3a9efc9516ca92658502505b/logback-classic-1.2.7.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-2.6.1.jar
      • spring-boot-starter-logging-2.6.1.jar
        • logback-classic-1.2.7.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution: ch.qos.logback:logback-classic:1.2.9;ch.qos.logback:logback-core:1.2.9

CVE-2025-49125

Vulnerable Library - tomcat-embed-core-9.0.55.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-tomcat-2.6.1.jar
      • tomcat-embed-core-9.0.55.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-16

URL: CVE-2025-49125

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wc4r-xq3c-5cf3

Release Date: 2025-06-16

Fix Resolution: org.apache.tomcat:tomcat-catalina:9.0.106,org.apache.tomcat.embed:tomcat-embed-core:9.0.106,org.apache.tomcat.embed:tomcat-embed-core:10.1.42,org.apache.tomcat:tomcat-catalina:11.0.8,org.apache.tomcat.embed:tomcat-embed-core:11.0.8,org.apache.tomcat:tomcat-catalina:10.1.42

CVE-2022-38750

Vulnerable Library - snakeyaml-1.29.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.29/6d0cdafb2010f1297e574656551d7145240f6e25/snakeyaml-1.29.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-2.6.1.jar
      • snakeyaml-1.29.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2022-22950

Vulnerable Library - spring-expression-5.3.13.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.3.13/8f7448f4fb296a92855fd0afea3375ce41061e84/spring-expression-5.3.13.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-webmvc-5.3.13.jar
      • spring-expression-5.3.13.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution: org.springframework:spring-expression:5.2.20,5.3.17

CVE-2018-1257

Vulnerable Library - spring-core-5.3.13.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.13/d2a6c3372dd337e08144f9f49f386b8ec7a8080d/spring-core-5.3.13.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-2.6.1.jar
      • spring-core-5.3.13.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.

Publish Date: 2018-05-11

URL: CVE-2018-1257

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1257

Release Date: 2018-05-11

Fix Resolution: 5.0.6,4.3.17

CVE-2025-49124

Vulnerable Library - tomcat-embed-core-9.0.55.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.55/6ab68425d34f35e93cf97e1950c2c710161d8ce1/tomcat-embed-core-9.0.55.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-tomcat-2.6.1.jar
      • tomcat-embed-core-9.0.55.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2025-06-16

URL: CVE-2025-49124

CVSS 3 Score Details (6.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-06-16

Fix Resolution: https://github.com/apache/tomcat.git - 11.0.8,https://github.com/apache/tomcat.git - 10.1.42,https://github.com/apache/tomcat.git - 9.0.106

WS-2021-0616

Vulnerable Library - jackson-databind-2.13.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.0/889672a1721d6d85b2834fcd29d3fda92c8c8891/jackson-databind-2.13.0.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-json-2.6.1.jar
      • jackson-databind-2.13.0.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-11-20

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1

CVE-2025-41242

Vulnerable Library - spring-webmvc-5.3.13.jar

Spring Web MVC

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-webmvc/5.3.13/cea31c85fa84dbd9f8df14a3ca62ab57c25cabe4/spring-webmvc-5.3.13.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-webmvc-5.3.13.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant Servlet container.
An application can be vulnerable when all the following are true:

Publish Date: 2025-08-18

URL: CVE-2025-41242

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-r936-gwx5-v52f

Release Date: 2025-08-18

Fix Resolution: org.springframework:spring-webmvc:6.2.10

CVE-2018-1271

Vulnerable Library - spring-core-5.3.13.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.3.13/d2a6c3372dd337e08144f9f49f386b8ec7a8080d/spring-core-5.3.13.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-2.6.1.jar
      • spring-core-5.3.13.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.

Publish Date: 2018-04-06

URL: CVE-2018-1271

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271

Release Date: 2018-04-06

Fix Resolution: org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE

CVE-2018-1196

Vulnerable Library - spring-boot-2.6.1.jar

Spring Boot

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/2.6.1/f670cee55752c1f1b304508e18bafd000e543174/spring-boot-2.6.1.jar

Dependency Hierarchy:

  • spring-boot-starter-web-2.6.1.jar (Root Library)
    • spring-boot-starter-2.6.1.jar
      • spring-boot-2.6.1.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.

Publish Date: 2018-03-19

URL: CVE-2018-1196

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1196

Release Date: 2018-03-19

Fix Resolution: 1.5.10.RELEASE

⛑️Automatic Remediation will be attempted for this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions