apankowski / garcon Goto Github PK

Vulnerable Library - wiremock-jre8-standalone-2.35.0.jar

A web service test double for all occasions - standalone edition

Library home page: http://wiremock.org

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8-standalone/2.35.0/23fd20992e665b232446cc85f2155410211a2aa7/wiremock-jre8-standalone-2.35.0.jar

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

CVE-2023-41329

Vulnerable Library - wiremock-jre8-standalone-2.35.0.jar

A web service test double for all occasions - standalone edition

Library home page: http://wiremock.org

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8-standalone/2.35.0/23fd20992e665b232446cc85f2155410211a2aa7/wiremock-jre8-standalone-2.35.0.jar

Dependency Hierarchy:

• ❌ wiremock-jre8-standalone-2.35.0.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Users are advised to upgrade. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names.

Publish Date: 2023-09-06

URL: CVE-2023-41329

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-pmxq-pj47-j8j4

Release Date: 2023-09-06

Fix Resolution: com.tomakehurst.wiremock:wiremock-jre8-standalone:2.35.1, com.tomakehurst.wiremock:wiremock-jre8:2.35.1, org.wiremock:wiremock-standalone:3.0.3, org.wiremock:wiremock:3.0.3, wiremock - 2.6.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - spring-boot-starter-actuator-3.1.3.jar

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

CVE-2022-1471

Vulnerable Library - snakeyaml-1.33.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-3.1.3.jar (Root Library)
  • spring-boot-starter-3.1.3.jar
    • ❌ snakeyaml-1.33.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - slack-api-client-1.36.0.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Found in HEAD commit: 5b9083016024533045e774e8ecf69fc6b907710c

CVE-2023-3635

Vulnerable Library - okio-jvm-3.0.0.jar

A modern I/O API for Java

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Dependency Hierarchy:

• slack-api-client-1.36.0.jar (Root Library)
  • okhttp-4.10.0.jar
    • okio-3.0.0.jar
      • ❌ okio-jvm-3.0.0.jar (Vulnerable Library)

Found in HEAD commit: 5b9083016024533045e774e8ecf69fc6b907710c

Found in base branch: main

Vulnerability Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Publish Date: 2023-07-12

URL: CVE-2023-3635

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635

Release Date: 2023-07-12

Fix Resolution: com.squareup.okio:okio-jvm:3.4.0

Step up your Open Source Security Game with Mend here

docker-compose-integration-test.yml

• postgres 15.7

Dockerfile

• azul/zulu-openjdk-alpine 21.0.3-jre-headless

.github/workflows/build-pull-request.yaml

• actions/checkout v4
• docker/setup-buildx-action v3
• actions/setup-java v4
• gradle/actions v3.3.2@db19848a5fa7950289d3668fb053140cf3028d43
• gradle/actions v3.3.2@db19848a5fa7950289d3668fb053140cf3028d43
• actions/upload-artifact v4
• EnricoMi/publish-unit-test-result-action v2
• actions/upload-artifact v4
• actions/cache v4
• hadolint/hadolint-action v3.1.0
• github/codeql-action v3
• docker/build-push-action v5
• aquasecurity/trivy-action 0.20.0
• github/codeql-action v3
• actions/upload-artifact v4

.github/workflows/scan-for-secrets.yaml

• actions/checkout v4
• gitleaks/gitleaks-action v2

gradle.properties

settings.gradle.kts

build.gradle.kts

• org.jetbrains.kotlin.jvm 1.9.24
• org.jetbrains.kotlin.kapt 1.9.24
• org.jetbrains.kotlin.plugin.spring 1.9.24
• org.springframework.boot 3.2.5
• io.spring.dependency-management 1.1.5
• com.gorylenko.gradle-git-properties 2.4.2
• com.adarshr.test-logger 4.0.0
• com.avast.gradle.docker-compose 0.17.6
• org.flywaydb.flyway 9.22.3
• nu.studer.jooq 9.0
• org.sonarqube 5.0.0.4638
• com.dorongold.task-tree 3.0.0
• com.google.guava:guava 33.2.0-jre
• org.jsoup:jsoup 1.17.2
• org.mozilla:rhino 1.7.15
• net.thisptr:jackson-jq 1.0.0-preview.20240207
• com.slack.api:slack-api-client 1.39.2
• io.kotest:kotest-runner-junit5 5.9.0
• io.kotest:kotest-framework-datatest 5.9.0
• io.kotest:kotest-assertions-core 5.9.0
• io.kotest.extensions:kotest-extensions-spring 1.1.3
• io.kotest.extensions:kotest-extensions-wiremock 3.0.1
• io.mockk:mockk 1.13.11
• org.wiremock:wiremock-standalone 3.5.4
• com.tngtech.archunit:archunit-junit5 1.3.0
• jacoco 0.8.12

gradle/wrapper/gradle-wrapper.properties

• gradle 8.7

Vulnerable Library - spring-boot-starter-test-3.2.1.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.8.0/b4ab3b7a9e425655a0ca65487bbbd6d7ddb75160/json-path-2.8.0.jar

Found in HEAD commit: 5b21bbc19132f877b8bcb2dacf314df6baca0814

CVE-2023-51074

Vulnerable Library - json-path-2.8.0.jar

A library to query and verify JSON

Library home page: https://github.com/jayway/JsonPath

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.8.0/b4ab3b7a9e425655a0ca65487bbbd6d7ddb75160/json-path-2.8.0.jar

Dependency Hierarchy:

• spring-boot-starter-test-3.2.1.jar (Root Library)
  • ❌ json-path-2.8.0.jar (Vulnerable Library)

Found in HEAD commit: 5b21bbc19132f877b8bcb2dacf314df6baca0814

Found in base branch: main

Vulnerability Details

json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.

Publish Date: 2023-12-27

URL: CVE-2023-51074

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

Vulnerable Library - kotest-extensions-wiremock-2.0.1.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8-standalone/2.35.0/23fd20992e665b232446cc85f2155410211a2aa7/wiremock-jre8-standalone-2.35.0.jar

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

CVE-2023-41329

Vulnerable Library - wiremock-jre8-standalone-2.35.0.jar

A web service test double for all occasions - standalone edition

Library home page: http://wiremock.org

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8-standalone/2.35.0/23fd20992e665b232446cc85f2155410211a2aa7/wiremock-jre8-standalone-2.35.0.jar

Dependency Hierarchy:

• kotest-extensions-wiremock-2.0.1.jar (Root Library)
  • ❌ wiremock-jre8-standalone-2.35.0.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Users are advised to upgrade. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names.

Publish Date: 2023-09-06

URL: CVE-2023-41329

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-pmxq-pj47-j8j4

Release Date: 2023-09-06

Fix Resolution: com.tomakehurst.wiremock:wiremock-jre8-standalone:2.35.1, com.tomakehurst.wiremock:wiremock-jre8:2.35.1, org.wiremock:wiremock-standalone:3.0.3, org.wiremock:wiremock:3.0.3, wiremock - 2.6.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - slack-api-client-1.32.0.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

CVE-2023-3635

Vulnerable Library - okio-jvm-3.0.0.jar

A modern I/O API for Java

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Dependency Hierarchy:

• slack-api-client-1.32.0.jar (Root Library)
  • okhttp-4.10.0.jar
    • okio-3.0.0.jar
      • ❌ okio-jvm-3.0.0.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Publish Date: 2023-07-12

URL: CVE-2023-3635

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635

Release Date: 2023-07-12

Fix Resolution: com.squareup.okio:okio-jvm:3.4.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - slack-api-client-1.35.1.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

CVE-2023-3635

Vulnerable Library - okio-jvm-3.0.0.jar

A modern I/O API for Java

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Dependency Hierarchy:

• slack-api-client-1.35.1.jar (Root Library)
  • okhttp-4.10.0.jar
    • okio-3.0.0.jar
      • ❌ okio-jvm-3.0.0.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Publish Date: 2023-07-12

URL: CVE-2023-3635

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635

Release Date: 2023-07-12

Fix Resolution: com.squareup.okio:okio-jvm:3.4.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - slack-api-client-1.32.1.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

CVE-2023-3635

Vulnerable Library - okio-jvm-3.0.0.jar

A modern I/O API for Java

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Dependency Hierarchy:

• slack-api-client-1.32.1.jar (Root Library)
  • okhttp-4.10.0.jar
    • okio-3.0.0.jar
      • ❌ okio-jvm-3.0.0.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Publish Date: 2023-07-12

URL: CVE-2023-3635

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635

Release Date: 2023-07-12

Fix Resolution (com.squareup.okio:okio-jvm): 3.4.0

Direct dependency fix Resolution (com.slack.api:slack-api-client): 1.35.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - spring-boot-starter-test-3.2.2.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.8.0/b4ab3b7a9e425655a0ca65487bbbd6d7ddb75160/json-path-2.8.0.jar

Found in HEAD commit: 57880f6f3c570b3d185f95a170ac7594c04a140d

CVE-2023-51074

Vulnerable Library - json-path-2.8.0.jar

A library to query and verify JSON

Library home page: https://github.com/jayway/JsonPath

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.8.0/b4ab3b7a9e425655a0ca65487bbbd6d7ddb75160/json-path-2.8.0.jar

Dependency Hierarchy:

• spring-boot-starter-test-3.2.2.jar (Root Library)
  • ❌ json-path-2.8.0.jar (Vulnerable Library)

Found in HEAD commit: 57880f6f3c570b3d185f95a170ac7594c04a140d

Found in base branch: main

Vulnerability Details

json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.

Publish Date: 2023-12-27

URL: CVE-2023-51074

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-51074

Release Date: 2023-12-27

Fix Resolution: com.jayway.jsonpath:json-path:2.9.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - wiremock-standalone-3.0.1.pom

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.wiremock/wiremock-standalone/3.0.1/6b54f1bb43eb24530490348d26c1c3d5454af873/wiremock-standalone-3.0.1.jar

Found in HEAD commit: 5b21bbc19132f877b8bcb2dacf314df6baca0814

CVE-2023-41329

Vulnerable Library - wiremock-standalone-3.0.1.jar

A web service test double for all occasions - standalone edition

Library home page: http://wiremock.org

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.wiremock/wiremock-standalone/3.0.1/6b54f1bb43eb24530490348d26c1c3d5454af873/wiremock-standalone-3.0.1.jar

Dependency Hierarchy:

• wiremock-standalone-3.0.1.pom (Root Library)
  • ❌ wiremock-standalone-3.0.1.jar (Vulnerable Library)

Found in HEAD commit: 5b21bbc19132f877b8bcb2dacf314df6baca0814

Found in base branch: main

Vulnerability Details

WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Users are advised to upgrade. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names.

Publish Date: 2023-09-06

URL: CVE-2023-41329

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-pmxq-pj47-j8j4

Release Date: 2023-09-06

Fix Resolution: com.tomakehurst.wiremock:wiremock-jre8-standalone:2.35.1, com.tomakehurst.wiremock:wiremock-jre8:2.35.1, org.wiremock:wiremock-standalone:3.0.3, org.wiremock:wiremock:3.0.3, wiremock - 2.6.1

Step up your Open Source Security Game with Mend here

Vulnerable Library - spring-boot-starter-web-3.1.3.jar

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

CVE-2023-44487

Vulnerable Library - tomcat-embed-core-10.1.12.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.1.3.jar (Root Library)
  • spring-boot-starter-tomcat-3.1.3.jar
    • ❌ tomcat-embed-core-10.1.12.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3, v1.57.1, v1.58.3

Step up your Open Source Security Game with Mend here

CVE-2023-41080

Vulnerable Library - tomcat-embed-core-10.1.12.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.1.3.jar (Root Library)
  • spring-boot-starter-tomcat-3.1.3.jar
    • ❌ tomcat-embed-core-10.1.12.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.

The vulnerability is limited to the ROOT (default) web application.

Publish Date: 2023-08-25

URL: CVE-2023-41080

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f

Release Date: 2023-08-25

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.13

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.1.4

Step up your Open Source Security Game with Mend here

CVE-2023-42795

Vulnerable Library - tomcat-embed-core-10.1.12.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.1.3.jar (Root Library)
  • spring-boot-starter-tomcat-3.1.3.jar
    • ❌ tomcat-embed-core-10.1.12.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

Publish Date: 2023-10-10

URL: CVE-2023-42795

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-42795

Release Date: 2023-10-10

Fix Resolution: org.apache.tomcat:tomcat-util - 8.5.94,10.1.14,11.0.0-M12,10.0.0-M1;org.apache.tomcat.embed:tomcat-embed-core - 11.0.0-M12,8.5.94,9.0.81;org.apache.tomcat:tomcat-coyote - 8.5.94,10.0.0-M1,11.0.0-M12,10.1.14;org.apache.tomcat:tomcat-catalina - 8.5.94,10.0.0-M1,10.1.14,11.0.0-M12

Step up your Open Source Security Game with Mend here

CVE-2023-45648

Vulnerable Library - tomcat-embed-core-10.1.12.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Dependency Hierarchy:

• spring-boot-starter-web-3.1.3.jar (Root Library)
  • spring-boot-starter-tomcat-3.1.3.jar
    • ❌ tomcat-embed-core-10.1.12.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

Publish Date: 2023-10-10

URL: CVE-2023-45648

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-45648

Release Date: 2023-10-10

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core - 11.0.0-M12,8.5.94,9.0.81;org.apache.tomcat:tomcat-coyote - 8.5.94,10.0.0-M1,10.1.14,11.0.0-M12

Step up your Open Source Security Game with Mend here

Vulnerable Library - slack-api-client-1.36.1.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Found in HEAD commit: 5b21bbc19132f877b8bcb2dacf314df6baca0814

CVE-2023-3635

Vulnerable Library - okio-jvm-3.0.0.jar

A modern I/O API for Java

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.squareup.okio/okio-jvm/3.0.0/ab5a73fa2ccb4a36b0b5c69fe10b16d0255bcf8/okio-jvm-3.0.0.jar

Dependency Hierarchy:

• slack-api-client-1.36.1.jar (Root Library)
  • okhttp-4.10.0.jar
    • okio-3.0.0.jar
      • ❌ okio-jvm-3.0.0.jar (Vulnerable Library)

Found in HEAD commit: 5b21bbc19132f877b8bcb2dacf314df6baca0814

Found in base branch: main

Vulnerability Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Publish Date: 2023-07-12

URL: CVE-2023-3635

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635

Release Date: 2023-07-12

Fix Resolution: com.squareup.okio:okio-jvm:3.4.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - spring-boot-starter-actuator-3.2.0.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.4.11/2f9f280219a9922a74200eaf7138c4c17fb87c0f/logback-core-1.4.11.jar

Found in HEAD commit: 5b21bbc19132f877b8bcb2dacf314df6baca0814

CVE-2023-6481

Vulnerable Library - logback-core-1.4.11.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.4.11/2f9f280219a9922a74200eaf7138c4c17fb87c0f/logback-core-1.4.11.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-3.2.0.jar (Root Library)
  • spring-boot-starter-3.2.0.jar
    • spring-boot-starter-logging-3.2.0.jar
      • logback-classic-1.4.11.jar
        • ❌ logback-core-1.4.11.jar (Vulnerable Library)

Found in HEAD commit: 5b21bbc19132f877b8bcb2dacf314df6baca0814

Found in base branch: main

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14

Step up your Open Source Security Game with Mend here

CVE-2023-6378

Vulnerable Library - logback-classic-1.4.11.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.4.11/54450c0c783e896a1a6d88c043bd2f1daba1c382/logback-classic-1.4.11.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-3.2.0.jar (Root Library)
  • spring-boot-starter-3.2.0.jar
    • spring-boot-starter-logging-3.2.0.jar
      • ❌ logback-classic-1.4.11.jar (Vulnerable Library)

Found in HEAD commit: 5b21bbc19132f877b8bcb2dacf314df6baca0814

Found in base branch: main

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution: ch.qos.logback:logback-classic:1.3.12,1.4.12

Step up your Open Source Security Game with Mend here

Vulnerable Library - spring-boot-starter-actuator-3.1.5.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

CVE-2022-1471

Vulnerable Library - snakeyaml-1.33.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.33/2cd0a87ff7df953f810c344bdf2fe3340b954c69/snakeyaml-1.33.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-3.1.5.jar (Root Library)
  • spring-boot-starter-3.1.5.jar
    • ❌ snakeyaml-1.33.jar (Vulnerable Library)

Found in HEAD commit: 6422844b434836cc435ea81aaaa5651e1ed9d476

Found in base branch: main

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

Step up your Open Source Security Game with Mend here