spring-kafka-2.3.6.RELEASE.jar: 18 vulnerabilities (highest severity is: 9.8) reachable

[mend-for-github-com]

Vulnerable Library - spring-kafka-2.3.6.RELEASE.jar

Path to dependency file: /webapp/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.4.RELEASE/spring-expression-5.2.4.RELEASE.jar

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-kafka version)	Remediation Possible**	Reachability
CVE-2022-22965	Critical	9.8	spring-beans-5.2.4.RELEASE.jar	Transitive	2.7.0	✅	Reachable
CVE-2023-25194	Medium	6.6	kafka-clients-2.3.1.jar	Transitive	N/A*	❌	Reachable
CVE-2024-31141	Medium	6.5	kafka-clients-2.3.1.jar	Transitive	N/A*	❌	Reachable
CVE-2023-20863	Medium	6.5	spring-expression-5.2.4.RELEASE.jar	Transitive	2.7.0	✅	Reachable
CVE-2023-20861	Medium	6.5	spring-expression-5.2.4.RELEASE.jar	Transitive	2.7.0	✅	Reachable
CVE-2022-22971	Medium	6.5	spring-messaging-5.2.4.RELEASE.jar	Transitive	2.7.0	✅	Reachable
CVE-2022-22950	Medium	6.5	spring-expression-5.2.4.RELEASE.jar	Transitive	2.7.0	✅	Reachable
CVE-2021-38153	Medium	5.9	kafka-clients-2.3.1.jar	Transitive	2.6.12	✅	Reachable
CVE-2022-22970	Medium	5.3	detected in multiple dependencies	Transitive	2.7.0	✅	Reachable
CVE-2022-22968	Medium	5.3	spring-context-5.2.4.RELEASE.jar	Transitive	2.7.0	✅	Reachable
CVE-2024-38808	Medium	4.3	spring-expression-5.2.4.RELEASE.jar	Transitive	3.0.0	✅	Reachable
CVE-2021-22096	Medium	4.3	spring-core-5.2.4.RELEASE.jar	Transitive	2.6.11	✅	Reachable
CVE-2021-22060	Medium	4.3	spring-core-5.2.4.RELEASE.jar	Transitive	2.5.17.RELEASE	✅	Reachable
CVE-2024-38820	Low	3.1	spring-context-5.2.4.RELEASE.jar	Transitive	3.1.10	✅	Reachable
CVE-2023-43642	High	7.5	snappy-java-1.1.7.3.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-34455	High	7.5	snappy-java-1.1.7.3.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-34454	Medium	5.9	snappy-java-1.1.7.3.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-34453	Medium	5.9	snappy-java-1.1.7.3.jar	Transitive	N/A*	❌	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (17 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-22965

Vulnerable Library - spring-beans-5.2.4.RELEASE.jar

Spring Beans

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /webapp/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.2.4.RELEASE/spring-beans-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • spring-context-5.2.4.RELEASE.jar
    • spring-aop-5.2.4.RELEASE.jar
      • ❌ spring-beans-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.boot.SpringApplication (Extension)
   -> ❌ org.springframework.beans.CachedIntrospectionResults (Vulnerable Component)

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-25194

Vulnerable Library - kafka-clients-2.3.1.jar

Library home page: https://kafka.apache.org

Path to dependency file: /webapp/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.3.1/kafka-clients-2.3.1.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • ❌ kafka-clients-2.3.1.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.KafkaConsumerFactoryConfiguration (Application)
  -> org.springframework.cloud.stream.binder.kafka.properties.KafkaBinderConfigurationProperties (Extension)
   -> org.springframework.cloud.stream.binder.kafka.properties.JaasLoginModuleConfiguration (Extension)
    -> org.springframework.kafka.security.jaas.KafkaJaasLoginModuleInitializer (Extension)
     -> ❌ org.apache.kafka.common.security.JaasUtils (Vulnerable Component)

Vulnerability Details

A possible security vulnerability has been identified in Apache Kafka Connect API.This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS configand a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0.When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the sasl.jaas.configproperty for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via theproducer.override.sasl.jaas.config, consumer.override.sasl.jaas.config, or admin.override.sasl.jaas.config properties.This will allow the server to connect to the attacker's LDAP serverand deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.Attacker can cause unrestricted deserialization of untrusted data (or) RCE vulnerability when there are gadgets in the classpath.Since Apache Kafka 3.0.0, users are allowed to specify these properties in connector configurations for Kafka Connect clusters running with out-of-the-boxconfigurations. Before Apache Kafka 3.0.0, users may not specify these properties unless the Kafka Connect cluster has been reconfigured with a connectorclient override policy that permits them.Since Apache Kafka 3.4.0, we have added a system property ("-Dorg.apache.kafka.disallowed.login.modules") to disable the problematic login modules usagein SASL JAAS configuration. Also by default "com.sun.security.auth.module.JndiLoginModule" is disabled in Apache Kafka Connect 3.4.0. We advise the Kafka Connect users to validate connector configurations and only allow trusted JNDI configurations. Also examine connector dependencies for vulnerable versions and either upgrade their connectors, upgrading that specific dependency, or removing the connectors as options for remediation. Finally,in addition to leveraging the "org.apache.kafka.disallowed.login.modules" system property, Kafka Connect users can also implement their own connectorclient config override policy, which can be used to control which Kafka client properties can be overridden directly in a connector config and which cannot.
Mend Note: After conducting a further research, Mend has assigned this CVE a score of CVSS 3.1 of 6.6.

Publish Date: 2023-02-07

URL: CVE-2023-25194

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://kafka.apache.org/cve-list

Release Date: 2023-02-07

Fix Resolution: org.apache.kafka:kafka-clients:3.4.0

CVE-2024-31141

Vulnerable Library - kafka-clients-2.3.1.jar

Library home page: https://kafka.apache.org

Path to dependency file: /webapp/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.3.1/kafka-clients-2.3.1.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • ❌ kafka-clients-2.3.1.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.kafka.CorrelatingMessageListener (Application)
  -> org.apache.kafka.clients.consumer.ConsumerRecord (Extension)
   -> org.apache.kafka.common.record.DefaultRecord (Extension)
    -> ❌ org.apache.kafka.common.utils.Crc32C (Vulnerable Component)

Vulnerability Details

Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients. Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables. In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables. In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products. This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0. Users with affected applications are recommended to upgrade kafka-clients to version >=3.8.0, and set the JVM system property "org.apache.kafka.automatic.config.providers=none". Users of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config are also recommended to add appropriate "allowlist.pattern" and "allowed.paths" to restrict their operation to appropriate bounds. For users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property. For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.

Publish Date: 2024-11-19

URL: CVE-2024-31141

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2024/q4/106

Release Date: 2024-11-19

Fix Resolution: org.apache.kafka:kafka-clients:3.7.1

CVE-2023-20863

Vulnerable Library - spring-expression-5.2.4.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.4.RELEASE/spring-expression-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • spring-context-5.2.4.RELEASE.jar
    • ❌ spring-expression-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.bpmnparsing.DefaultMetadataValueEvaluator (Application)
  -> org.springframework.expression.spel.standard.SpelExpressionParser (Extension)
   -> ❌ org.springframework.expression.spel.standard.InternalSpelExpressionParser (Vulnerable Component)

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.2.24.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-20861

Vulnerable Library - spring-expression-5.2.4.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.4.RELEASE/spring-expression-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • spring-context-5.2.4.RELEASE.jar
    • ❌ spring-expression-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.bpmnparsing.DefaultMetadataValueEvaluator (Application)
  -> org.springframework.expression.spel.standard.SpelExpressionParser (Extension)
   -> org.springframework.expression.spel.standard.InternalSpelExpressionParser (Extension)
    -> ❌ org.springframework.expression.spel.ast.OperatorMatches (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.2.23.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22971

Vulnerable Library - spring-messaging-5.2.4.RELEASE.jar

Spring Messaging

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-messaging/5.2.4.RELEASE/spring-messaging-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • ❌ spring-messaging-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.integration.jmx.NotificationListeningMessageProducer (Extension)
   -> org.springframework.integration.support.MessageBuilderFactory (Extension)
    -> org.springframework.integration.handler.support.MessagingMethodInvokerHelper (Extension)
    ...
      -> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration$1 (Extension)
       -> org.springframework.messaging.simp.config.AbstractMessageBrokerConfiguration (Extension)
        -> ❌ org.springframework.messaging.simp.broker.SimpleBrokerMessageHandler (Vulnerable Component)

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.

Publish Date: 2022-05-12

URL: CVE-2022-22971

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22971

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-messaging): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22950

Vulnerable Library - spring-expression-5.2.4.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.4.RELEASE/spring-expression-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • spring-context-5.2.4.RELEASE.jar
    • ❌ spring-expression-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.bpmnparsing.DefaultMetadataValueEvaluator (Application)
  -> org.springframework.expression.ExpressionParser (Extension)
   -> org.springframework.expression.spel.standard.SpelExpression (Extension)
    -> ❌ org.springframework.expression.spel.SpelMessage (Vulnerable Component)

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-38153

Vulnerable Library - kafka-clients-2.3.1.jar

Library home page: https://kafka.apache.org

Path to dependency file: /webapp/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/kafka/kafka-clients/2.3.1/kafka-clients-2.3.1.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • ❌ kafka-clients-2.3.1.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.KafkaConsumerFactoryConfiguration (Application)
  -> org.springframework.kafka.core.DefaultKafkaConsumerFactory (Extension)
   -> org.apache.kafka.clients.consumer.KafkaConsumer (Extension)
    -> org.apache.kafka.common.network.SaslChannelBuilder (Extension)
    ...
      -> org.apache.kafka.common.security.scram.ScramLoginModule (Extension)
       -> org.apache.kafka.common.security.scram.internals.ScramSaslServerProvider (Extension)
        -> ❌ org.apache.kafka.common.security.scram.internals.ScramSaslServer (Vulnerable Component)

Vulnerability Details

Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been fixed. The affected versions include Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.6.0, 2.6.1, 2.6.2, 2.7.0, 2.7.1, and 2.8.0.

Publish Date: 2021-09-22

URL: CVE-2021-38153

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38153

Release Date: 2021-09-22

Fix Resolution (org.apache.kafka:kafka-clients): 2.6.3

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.6.12

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22970

Vulnerable Libraries - spring-core-5.2.4.RELEASE.jar, spring-beans-5.2.4.RELEASE.jar

spring-core-5.2.4.RELEASE.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.2.4.RELEASE/spring-core-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • spring-context-5.2.4.RELEASE.jar
    • spring-aop-5.2.4.RELEASE.jar
      • spring-beans-5.2.4.RELEASE.jar
        • ❌ spring-core-5.2.4.RELEASE.jar (Vulnerable Library)

spring-beans-5.2.4.RELEASE.jar

Spring Beans

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /webapp/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.2.4.RELEASE/spring-beans-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • spring-context-5.2.4.RELEASE.jar
    • spring-aop-5.2.4.RELEASE.jar
      • ❌ spring-beans-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.scheduling.annotation.ScheduledAnnotationBeanPostProcessor (Extension)
   -> org.springframework.core.annotation.AnnotatedElementUtils (Extension)
    -> ❌ org.springframework.core.annotation.AnnotationsScanner (Vulnerable Component)

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-core): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.7.0

Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22968

Vulnerable Library - spring-context-5.2.4.RELEASE.jar

Spring Context

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.4.RELEASE/spring-context-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • ❌ spring-context-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
    -> org.springframework.boot.context.properties.bind.Binder (Extension)
    ...
      -> org.springframework.boot.context.properties.bind.validation.ValidationBindHandler$ValidationResult (Extension)
       -> org.springframework.validation.AbstractBindingResult (Extension)
        -> ❌ org.springframework.validation.DataBinder (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution (org.springframework:spring-context): 5.2.21.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-38808

Vulnerable Library - spring-expression-5.2.4.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.2.4.RELEASE/spring-expression-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • spring-context-5.2.4.RELEASE.jar
    • ❌ spring-expression-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.expression.spel.ast.ConstructorReference (Application)
  -> org.springframework.expression.spel.standard.SpelExpression (Extension)
   -> org.springframework.expression.ExpressionParser (Extension)
    -> ❌ com.ultimatesoftware.workflow.messaging.bpmnparsing.DefaultMetadataValueEvaluator (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.

Specifically, an application is vulnerable when the following is true:

• The application evaluates user-supplied SpEL expressions.

Publish Date: 2024-08-20

URL: CVE-2024-38808

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38808

Release Date: 2024-08-20

Fix Resolution (org.springframework:spring-expression): 5.3.39

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 3.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22096

Vulnerable Library - spring-core-5.2.4.RELEASE.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.2.4.RELEASE/spring-core-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • spring-context-5.2.4.RELEASE.jar
    • spring-aop-5.2.4.RELEASE.jar
      • spring-beans-5.2.4.RELEASE.jar
        • ❌ spring-core-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.messaging.simp.user.MultiServerUserRegistry (Extension)
   -> org.springframework.messaging.converter.MappingJackson2MessageConverter (Extension)
    -> ❌ org.springframework.util.MimeType (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.6.11

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22060

Vulnerable Library - spring-core-5.2.4.RELEASE.jar

Spring Core

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.2.4.RELEASE/spring-core-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • spring-context-5.2.4.RELEASE.jar
    • spring-aop-5.2.4.RELEASE.jar
      • spring-beans-5.2.4.RELEASE.jar
        • ❌ spring-core-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

org.springframework.util.JdkIdGenerator (Application)
  -> org.springframework.web.server.session.InMemoryWebSessionStore (Extension)
   -> org.springframework.web.server.session.DefaultWebSessionManager (Extension)
    -> org.springframework.web.context.support.GroovyWebApplicationContext (Extension)
    ...
      -> org.springframework.cloud.stream.config.BindingServiceConfiguration (Extension)
       -> org.springframework.cloud.stream.config.BindingServiceConfiguration$1 (Extension)
        -> ❌ com.ultimatesoftware.workflow.webapp.WebappApplication (Vulnerable Component)

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-07

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2021-22060

Release Date: 2022-01-07

Fix Resolution (org.springframework:spring-core): 5.2.19.RELEASE

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 2.5.17.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-38820

Vulnerable Library - spring-context-5.2.4.RELEASE.jar

Spring Context

Library home page: https://spring.io/projects/spring-framework

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.2.4.RELEASE/spring-context-5.2.4.RELEASE.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • ❌ spring-context-5.2.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.boot.autoconfigure.AutoConfigurationImportSelector (Extension)
    -> org.springframework.boot.context.properties.bind.Binder (Extension)
    ...
      -> org.springframework.boot.context.properties.bind.validation.ValidationBindHandler$ValidationResult (Extension)
       -> org.springframework.validation.AbstractBindingResult (Extension)
        -> ❌ org.springframework.validation.DataBinder (Vulnerable Component)

Vulnerability Details

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

Publish Date: 2024-10-18

URL: CVE-2024-38820

CVSS 3 Score Details (3.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-38820

Release Date: 2024-10-18

Fix Resolution (org.springframework:spring-context): 6.1.14

Direct dependency fix Resolution (org.springframework.kafka:spring-kafka): 3.1.10

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-43642

Vulnerable Library - snappy-java-1.1.7.3.jar

snappy-java: A fast compression/decompression library

Library home page: https://github.com/xerial/snappy-java

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.1.7.3/snappy-java-1.1.7.3.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • kafka-clients-2.3.1.jar
    • ❌ snappy-java-1.1.7.3.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue. A fix has been introduced in commit 9f8c3cf74 which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.

Publish Date: 2023-09-25

URL: CVE-2023-43642

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-55g7-9cwv-5qfv

Release Date: 2023-09-25

Fix Resolution: org.xerial.snappy:snappy-java:1.1.10.4

CVE-2023-34455

Vulnerable Library - snappy-java-1.1.7.3.jar

snappy-java: A fast compression/decompression library

Library home page: https://github.com/xerial/snappy-java

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.1.7.3/snappy-java-1.1.7.3.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • kafka-clients-2.3.1.jar
    • ❌ snappy-java-1.1.7.3.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

snappy-java is a fast compressor/decompressor for Java. Due to use of an unchecked chunk length, an unrecoverable fatal error can occur in versions prior to 1.1.10.1.

The code in the function hasNextChunk in the fileSnappyInputStream.java checks if a given stream has more chunks to read. It does that by attempting to read 4 bytes. If it wasn’t possible to read the 4 bytes, the function returns false. Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk.

In the case that the compressed variable is null, a byte array is allocated with the size given by the input data. Since the code doesn’t test the legality of the chunkSize variable, it is possible to pass a negative number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a java.lang.NegativeArraySizeException exception. A worse case would happen when passing a huge positive value (such as 0x7FFFFFFF), which would raise the fatal java.lang.OutOfMemoryError error.

Version 1.1.10.1 contains a patch for this issue.

Publish Date: 2023-06-15

URL: CVE-2023-34455

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qcwq-55hx-v3vh

Release Date: 2023-06-15

Fix Resolution: org.xerial.snappy:snappy-java:1.1.10.1

CVE-2023-34454

Vulnerable Library - snappy-java-1.1.7.3.jar

snappy-java: A fast compression/decompression library

Library home page: https://github.com/xerial/snappy-java

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/xerial/snappy/snappy-java/1.1.7.3/snappy-java-1.1.7.3.jar

Dependency Hierarchy:

• spring-kafka-2.3.6.RELEASE.jar (Root Library)
  • kafka-clients-2.3.1.jar
    • ❌ snappy-java-1.1.7.3.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer overflow may occur in versions prior to 1.1.10.1, causing an unrecoverable fatal error.

The function compress(char[] input) in the file Snappy.java receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the rawCompress` function.

Since the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array.

Since the maxCompressedLength function treats the length as an unsigned integer, it doesn’t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a java.lang.NegativeArraySizeException exception will be raised while trying to allocate the array buf. On the other side, if the result is positive, the buf array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error.

The same issue exists also when using the compress functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won’t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place.

Version 1.1.10.1 contains a patch for this issue.

Publish Date: 2023-06-15

URL: CVE-2023-34454

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fjpj-2g6w-x25r

Release Date: 2023-06-15

Fix Resolution: org.xerial.snappy:snappy-java:1.1.10.1

---

⛑️Automatic Remediation will be attempted for this issue.