Skip to content

[Snyk] Fix for 28 vulnerabilities #33

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Shravya78 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 28 vulnerabilities #33

Shravya78 wants to merge 1 commit into from

Conversation

@Shravya78
Copy link
Owner

@Shravya78 Shravya78 commented Dec 26, 2024

snyk-top-banner

Snyk has created this PR to fix 28 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
critical severity Missing Authorization
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8309135		   680   org.springframework.boot:spring-boot-starter-security:
2.1.5.RELEASE -> 3.2.11
org.springframework.security:spring-security-web:
4.2.12.RELEASE -> 6.2.7
Major version upgrade No Path Found Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426		   670   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade Reachable Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897		   670   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade Reachable Proof of Concept
high severity Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924		   660   com.thoughtworks.xstream:xstream:
1.4.10 -> 1.4.21
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found Proof of Concept
high severity Path Traversal
SNYK-JAVA-ORGSPRINGFRAMEWORK-7945490		   660   Major version upgrade No Path Found Proof of Concept
high severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538		   585   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found No Known Exploit
high severity Stack-based Buffer Overflow
SNYK-JAVA-COMGOOGLEPROTOBUF-8055227		   585   mysql:mysql-connector-java:
8.0.12 -> 8.0.31
No Path Found No Known Exploit
high severity Insufficient Session Expiration
SNYK-JAVA-ORGAPACHETOMCATEMBED-7430175		   585   Major version upgrade No Path Found No Known Exploit
high severity Path Traversal
SNYK-JAVA-ORGSPRINGFRAMEWORK-8230373		   585   Major version upgrade No Path Found No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JAVA-IONETTY-8367012		   565   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found Proof of Concept
high severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244		   525   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424		   520   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found Proof of Concept
medium severity Uncontrolled Resource Consumption
SNYK-JAVA-COMMONSIO-8161190		   495   commons-io:commons-io:
2.5 -> 2.14.0
No Path Found No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JAVA-ORGSPRINGFRAMEWORK-7687447		   495   org.springframework.security:spring-security-web:
4.2.12.RELEASE -> 6.2.7
Major version upgrade No Path Found No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JAVA-ORGSPRINGFRAMEWORK-8384234		   495   Major version upgrade No Path Found No Known Exploit
medium severity Authorization Bypass
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399269		   465   org.springframework.security:spring-security-config:
4.2.12.RELEASE -> 6.2.7
org.springframework.security:spring-security-web:
4.2.12.RELEASE -> 6.2.7
Major version upgrade No Path Found No Known Exploit
medium severity Authorization Bypass
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399272		   465   org.springframework.boot:spring-boot-starter-security:
2.1.5.RELEASE -> 3.2.11
org.springframework.security:spring-security-config:
4.2.12.RELEASE -> 6.2.7
Major version upgrade No Path Found No Known Exploit
medium severity Authorization Bypass
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399273		   465   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found No Known Exploit
medium severity Authorization Bypass
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399278		   465   org.springframework.boot:spring-boot-starter-security:
2.1.5.RELEASE -> 3.2.11
org.springframework.security:spring-security-web:
4.2.12.RELEASE -> 6.2.7
Major version upgrade No Path Found No Known Exploit
medium severity Deserialization of Untrusted Data
SNYK-JAVA-COMGOOGLEGUAVA-32236		   445   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found No Known Exploit
medium severity Open Redirect
SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980		   420   org.springframework.security:spring-security-web:
4.2.12.RELEASE -> 6.2.7
Major version upgrade No Path Found No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180		   415   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found No Known Exploit
low severity Information Disclosure
SNYK-JAVA-COMGOOGLEGUAVA-1015415		   390   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found Proof of Concept
low severity Creation of Temporary File in Directory with Insecure Permissions
SNYK-JAVA-COMGOOGLEGUAVA-5710356		   315   org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:
1.4.0.RELEASE -> 4.2.0
Major version upgrade No Path Found No Known Exploit
low severity Improper Handling of Case Sensitivity
SNYK-JAVA-ORGSPRINGFRAMEWORK-8230364		   265   org.springframework.security:spring-security-config:
4.2.12.RELEASE -> 6.2.7
org.springframework.security:spring-security-web:
4.2.12.RELEASE -> 6.2.7
Major version upgrade No Path Found No Known Exploit
low severity Improper Handling of Case Sensitivity
SNYK-JAVA-ORGSPRINGFRAMEWORK-8230365		   265   org.mybatis.spring.boot:mybatis-spring-boot-starter:
1.3.2 -> 3.0.4
org.springframework.security:spring-security-config:
4.2.12.RELEASE -> 6.2.7
org.springframework.security:spring-security-web:
4.2.12.RELEASE -> 6.2.7
Major version upgrade No Path Found No Known Exploit
low severity Improper Handling of Case Sensitivity
SNYK-JAVA-ORGSPRINGFRAMEWORK-8230366		   265   org.springframework.security:spring-security-web:
4.2.12.RELEASE -> 6.2.7
Major version upgrade No Path Found No Known Exploit
low severity Improper Handling of Case Sensitivity
SNYK-JAVA-ORGSPRINGFRAMEWORK-8230368		   265   Major version upgrade No Path Found No Known Exploit

Vulnerabilities that could not be fixed

  • Upgrade:
    • Could not upgrade org.springframework.boot:spring-boot-starter-actuator@1.5.1.RELEASE to org.springframework.boot:spring-boot-starter-actuator@2.0.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.1.RELEASE/spring-boot-dependencies-1.5.1.RELEASE.pom
  • Could not upgrade org.springframework.boot:spring-boot-starter-web@1.5.1.RELEASE to org.springframework.boot:spring-boot-starter-web@3.2.11; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.1.RELEASE/spring-boot-dependencies-1.5.1.RELEASE.pom
  • Could not upgrade org.springframework:spring-test@4.3.6.RELEASE to org.springframework:spring-test@6.1.14; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/spring-framework-bom/4.3.6.RELEASE/spring-framework-bom-4.3.6.RELEASE.pom

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Creation of Temporary File in Directory with Insecure Permissions
🦉 Deserialization of Untrusted Data
🦉 More lessons are available in Snyk Learn

@snyk-bot
fix: pom.xml to reduce vulnerabilities
97541c8 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8309135
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-8352924
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-7945490
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEPROTOBUF-8055227
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-7430175
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-8230373
- https://snyk.io/vuln/SNYK-JAVA-IONETTY-8367012
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244
- https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424
- https://snyk.io/vuln/SNYK-JAVA-COMMONSIO-8161190
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-7687447
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-8384234
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399269
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399272
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399273
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399278
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415
- https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-5710356
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-8230364
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-8230365
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-8230366
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-8230368
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Shravya78 @snyk-bot