Skip to content

[Snyk] Security upgrade org.springframework:spring-webmvc from 5.3.34 to 6.0.0 #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
IAmATeaPot418 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Security upgrade org.springframework:spring-webmvc from 5.3.34 to 6.0.0 #35

IAmATeaPot418 wants to merge 1 commit into from

Conversation

@IAmATeaPot418
Copy link
Owner

@IAmATeaPot418 IAmATeaPot418 commented Nov 29, 2024

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
medium severity Denial of Service (DoS)
SNYK-JAVA-ORGSPRINGFRAMEWORK-8384234		   545   org.springframework:spring-webmvc:
5.3.34 -> 6.0.0
Major version upgrade No Path Found No Known Exploit

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)

@endorlabs
Copy link

endorlabs bot commented Nov 29, 2024

Warning

Endor Labs detected 1 policy violations associated with this pull request.

Please review the findings that caused the policy violations.

📋 Policy: any findings (13 findings)

📥 Package mvn://org.owasp:benchmark@1.2
⤵️ Dependency: mvn://org.springframework:spring-context@6.0.0
🚩 GHSA-4gc7-5j7h-4qph: Spring Framework DataBinder Case Sensitive Match Exception

Details

  • Severity: Low
  • Tags: Direct Normal Potentially Reachable Function Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-context@6.0.0 has a low severity vulnerability identified by GHSA-4gc7-5j7h-4qph: Spring Framework DataBinder Case Sensitive Match Exception. This vulnerability was fixed in version 6.1.14.
    2 packages import org.springframework:spring-context@6.0.0 directly. See the list of all dependency paths for details.
  • Remediation: Upgrade org.springframework:spring-context to version 6.1.14 (current: 6.0.0, latest: 6.2.0).
⤵️ Dependency: mvn://org.springframework:spring-core@6.0.0
🚩 GHSA-4gc7-5j7h-4qph: Spring Framework DataBinder Case Sensitive Match Exception

Details

  • Severity: Low
  • Tags: Transitive Normal Potentially Reachable Function Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-core@6.0.0 has a low severity vulnerability identified by GHSA-4gc7-5j7h-4qph: Spring Framework DataBinder Case Sensitive Match Exception. This vulnerability was fixed in version 6.1.14.
    4 packages import org.springframework:spring-core@6.0.0 directly. See the list of all dependency paths for details.
  • Remediation: Upgrade org.springframework:spring-core to version 6.1.14 (current: 6.0.0, latest: 6.2.0).
⤵️ Dependency: mvn://org.springframework:spring-expression@6.0.0
🚩 GHSA-564r-hj7v-mcr5: Spring Framework vulnerable to denial of service via specially crafted SpEL expression

Details

  • Severity: Medium
  • Tags: Transitive Normal Potentially Reachable Function Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-expression@6.0.0 has a medium severity vulnerability identified by GHSA-564r-hj7v-mcr5: Spring Framework vulnerable to denial of service via specially crafted SpEL expression. This vulnerability was fixed in version 6.0.7.
    org.springframework:spring-expression@6.0.0 is a transitive dependency of org.owasp:benchmark@1.2 via external direct dependency org.springframework:spring-webmvc@6.0.0.
  • Remediation: Check if you can use a newer version of org.springframework:spring-webmvc (current: 6.0.0, latest: 6.2.0) that requires org.springframework:spring-expression 6.0.7 or higher (current: 6.0.0, latest: 6.2.0). See for example org.springframework:spring-webmvc@6.0.7 (org.springframework:spring-expression@6.0.7), org.springframework:spring-webmvc@6.0.8 (org.springframework:spring-expression@6.0.8), org.springframework:spring-webmvc@6.0.9 (org.springframework:spring-expression@6.0.9), or latest version org.springframework:spring-webmvc@6.2.0 (org.springframework:spring-expression@6.2.0).
🚩 GHSA-wxqc-pxw9-g2p8: Spring Framework vulnerable to denial of service

Details

  • Severity: Medium
  • Tags: Transitive Normal Potentially Reachable Function Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-expression@6.0.0 has a medium severity vulnerability identified by GHSA-wxqc-pxw9-g2p8: Spring Framework vulnerable to denial of service. This vulnerability was fixed in version 6.0.8.
    org.springframework:spring-expression@6.0.0 is a transitive dependency of org.owasp:benchmark@1.2 via external direct dependency org.springframework:spring-webmvc@6.0.0.
  • Remediation: Check if you can use a newer version of org.springframework:spring-webmvc (current: 6.0.0, latest: 6.2.0) that requires org.springframework:spring-expression 6.0.8 or higher (current: 6.0.0, latest: 6.2.0). See for example org.springframework:spring-webmvc@6.0.8 (org.springframework:spring-expression@6.0.8), org.springframework:spring-webmvc@6.0.9 (org.springframework:spring-expression@6.0.9), org.springframework:spring-webmvc@6.0.10 (org.springframework:spring-expression@6.0.10), or latest version org.springframework:spring-webmvc@6.2.0 (org.springframework:spring-expression@6.2.0).
⤵️ Dependency: mvn://org.springframework:spring-web@6.0.0
🚩 GHSA-hgjh-9rj2-g67j: Spring Framework URL Parsing with Host Validation Vulnerability

Details

  • Severity: High
  • Tags: Direct Normal Potentially Reachable Function Potentially Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-web@6.0.0 has a high severity vulnerability identified by GHSA-hgjh-9rj2-g67j: Spring Framework URL Parsing with Host Validation Vulnerability. This vulnerability was fixed in version 6.0.18.
    2 packages import org.springframework:spring-web@6.0.0 directly. See the list of all dependency paths for details.
  • Remediation: Upgrade org.springframework:spring-web to version 6.0.18 (current: 6.0.0, latest: 6.2.0).
🚩 GHSA-ccgv-vj62-xf9h: Spring Web vulnerable to Open Redirect or Server Side Request Forgery

Details

  • Severity: High
  • Tags: Direct Normal Potentially Reachable Function Potentially Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-web@6.0.0 has a high severity vulnerability identified by GHSA-ccgv-vj62-xf9h: Spring Web vulnerable to Open Redirect or Server Side Request Forgery. This vulnerability was fixed in version 6.1.4.
    2 packages import org.springframework:spring-web@6.0.0 directly. See the list of all dependency paths for details.
  • Remediation: Upgrade org.springframework:spring-web to version 6.1.4 (current: 6.0.0, latest: 6.2.0).
🚩 GHSA-4gc7-5j7h-4qph: Spring Framework DataBinder Case Sensitive Match Exception

Details

  • Severity: Low
  • Tags: Direct Normal Potentially Reachable Function Potentially Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-web@6.0.0 has a low severity vulnerability identified by GHSA-4gc7-5j7h-4qph: Spring Framework DataBinder Case Sensitive Match Exception. This vulnerability was fixed in version 6.1.14.
    2 packages import org.springframework:spring-web@6.0.0 directly. See the list of all dependency paths for details.
  • Remediation: Upgrade org.springframework:spring-web to version 6.1.14 (current: 6.0.0, latest: 6.2.0).
🚩 GHSA-v94h-hvhg-mf9h: Spring Framework vulnerable to denial of service

Details

  • Severity: Medium
  • Tags: Direct Normal Potentially Reachable Function Potentially Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-web@6.0.0 has a medium severity vulnerability identified by GHSA-v94h-hvhg-mf9h: Spring Framework vulnerable to denial of service. This vulnerability was fixed in version 6.0.14.
    2 packages import org.springframework:spring-web@6.0.0 directly. See the list of all dependency paths for details.
  • Remediation: Upgrade org.springframework:spring-web to version 6.0.14 (current: 6.0.0, latest: 6.2.0).
🚩 GHSA-2wrp-6fg6-hmc5: Spring Framework URL Parsing with Host Validation

Details

  • Severity: High
  • Tags: Direct Normal Potentially Reachable Function Potentially Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-web@6.0.0 has a high severity vulnerability identified by GHSA-2wrp-6fg6-hmc5: Spring Framework URL Parsing with Host Validation. This vulnerability was fixed in version 6.0.19.
    2 packages import org.springframework:spring-web@6.0.0 directly. See the list of all dependency paths for details.
  • Remediation: Upgrade org.springframework:spring-web to version 6.0.19 (current: 6.0.0, latest: 6.2.0).
🚩 GHSA-2rmj-mq67-h97g: Spring Framework DoS via conditional HTTP request

Details

  • Severity: Medium
  • Tags: Direct Normal Potentially Reachable Function Potentially Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-web@6.0.0 has a medium severity vulnerability identified by GHSA-2rmj-mq67-h97g: Spring Framework DoS via conditional HTTP request. This vulnerability was fixed in version 6.0.23.
    2 packages import org.springframework:spring-web@6.0.0 directly. See the list of all dependency paths for details.
  • Remediation: Upgrade org.springframework:spring-web to version 6.0.23 (current: 6.0.0, latest: 6.2.0).
⤵️ Dependency: mvn://org.springframework:spring-webmvc@6.0.0
🚩 GHSA-cx7f-g6mp-7hqm: Path traversal vulnerability in functional web frameworks

Details

  • Severity: High
  • Tags: Direct Normal Potentially Reachable Function Potentially Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-webmvc@6.0.0 has a high severity vulnerability identified by GHSA-cx7f-g6mp-7hqm: Path traversal vulnerability in functional web frameworks. This vulnerability was fixed in version 6.1.13.
    org.springframework:spring-webmvc@6.0.0 is a direct dependency of org.owasp:benchmark@1.2.
  • Remediation: Update org.owasp:benchmark@1.2 to use org.springframework:spring-webmvc version 6.1.13 (current: 6.0.0, latest: 6.2.0).
🚩 GHSA-4gc7-5j7h-4qph: Spring Framework DataBinder Case Sensitive Match Exception

Details

  • Severity: Low
  • Tags: Direct Normal Potentially Reachable Function Potentially Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-webmvc@6.0.0 has a low severity vulnerability identified by GHSA-4gc7-5j7h-4qph: Spring Framework DataBinder Case Sensitive Match Exception. This vulnerability was fixed in version 6.1.14.
    org.springframework:spring-webmvc@6.0.0 is a direct dependency of org.owasp:benchmark@1.2.
  • Remediation: Update org.owasp:benchmark@1.2 to use org.springframework:spring-webmvc version 6.1.14 (current: 6.0.0, latest: 6.2.0).
🚩 GHSA-7phw-cxx7-q9vq: Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch

Details

  • Severity: High
  • Tags: Direct Normal Potentially Reachable Function Potentially Reachable Dependency Fix Available Blocker
  • Categories: Security Vulnerability
  • Summary: org.springframework:spring-webmvc@6.0.0 has a high severity vulnerability identified by GHSA-7phw-cxx7-q9vq: Spring Framework is vulnerable to security bypass via mvcRequestMatcher pattern mismatch. This vulnerability was fixed in version 6.0.7.
    org.springframework:spring-webmvc@6.0.0 is a direct dependency of org.owasp:benchmark@1.2.
  • Remediation: Update org.owasp:benchmark@1.2 to use org.springframework:spring-webmvc version 6.0.7 (current: 6.0.0, latest: 6.2.0).

This comment was automatically generated by Endor Labs.
Scanned @ 11-29-2024 20:24:49 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IAmATeaPot418 @snyk-bot