Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Byte Buddy is a Java library for creating Java classes at run time.
This artifact is a build of Byte Buddy with all ASM dependencies repackaged into its own name space.
File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy/1.15.11/byte-buddy-1.15.11.jar MD5: 603bc53c7a294f23765bfb7e1820ad44 SHA1: f61886478e0f9ee4c21d09574736f0ff45e0a46c SHA256:fa08998aae1e7bdae83bde0712c50e8444d71c0e0c196bb2247ade8d4ad0eb90 Referenced In Project/Scope: waffle-spring-boot-filter2:compile byte-buddy-1.15.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
File Path: /home/runner/.m2/repository/net/bytebuddy/byte-buddy-agent/1.15.11/byte-buddy-agent-1.15.11.jar MD5: 449a1534609bf3535d74cbb10b4ed074 SHA1: a38b16385e867f59a641330f0362ebe742788ed8 SHA256:316d2c0795c2a4d4c4756f2e6f9349837c7430ac34e0477ead874d05f5cc19e5 Referenced In Project/Scope: waffle-spring-boot-filter2:compile byte-buddy-agent-1.15.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/github/ben-manes/caffeine/caffeine/3.1.8/caffeine-3.1.8.jar MD5: b19301179903e8781776397d9923f7c8 SHA1: 24795585df8afaf70a2cd534786904ea5889c047 SHA256:7dd15f9df1be238ffaa367ce6f556737a88031de4294dad18eef57c474ddf1d3 Referenced In Project/Scope: waffle-spring-boot-filter2:compile caffeine-3.1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.5.2-SNAPSHOT
checker-qual contains annotations (type qualifiers) that a programmerwrites to specify Java code for type-checking by the Checker Framework.
License:
The MIT License: http://opensource.org/licenses/MIT
File Path: /home/runner/.m2/repository/org/checkerframework/checker-qual/3.48.3/checker-qual-3.48.3.jar MD5: 9fe3deae54d20bd78960459c952ac7d4 SHA1: c48effe7d78de3cf5e8a98c614281ec6a2466a77 SHA256:443685b1b232803baaf803c15d6f5a425473c6f7b81c5f276dfcf93288e389a5 Referenced In Project/Scope: waffle-spring-boot-filter2:compile checker-qual-3.48.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.5.2-SNAPSHOT
Referenced In Project/Scope: waffle-spring-boot-filter2 com.github.waffle:waffle-jna:3.5.2-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
Referenced In Project/Scope: waffle-spring-boot-filter2 com.github.waffle:waffle-spring-boot-autoconfigure2:3.5.2-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
Referenced In Project/Scope: waffle-spring-boot-filter2 com.github.waffle:waffle-spring-boot-starter2:3.5.2-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
Referenced In Project/Scope: waffle-spring-boot-filter2 com.github.waffle:waffle-spring-security5:3.5.2-SNAPSHOT is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
File Path: /home/runner/.m2/repository/com/google/errorprone/error_prone_annotations/2.36.0/error_prone_annotations-2.36.0.jar MD5: 0e48e5ba2cd0a8d8d09bad849b99f6a6 SHA1: 227d4d4957ccc3dc5761bd897e3a0ee587e750a7 SHA256:77440e270b0bc9a249903c5a076c36a722c4886ca4f42675f2903a1c53ed61a5 Referenced In Project/Scope: waffle-spring-boot-filter2:provided error_prone_annotations-2.36.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/j2objc/j2objc-annotations/3.0.0/j2objc-annotations-3.0.0.jar MD5: f59529b29202a5baf37f491ea5ec8627 SHA1: 7399e65dd7e9ff3404f4535b2f017093bdb134c7 SHA256:88241573467ddca44ffd4d74aa04c2bbfd11bf7c17e0c342c94c9de7a70a7c64 Referenced In Project/Scope: waffle-spring-boot-filter2:provided j2objc-annotations-3.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.13.5/jackson-core-2.13.5.jar MD5: 2272453c780d1383ecd2efde00c1a7a9 SHA1: 0d07c97d3de9ea658caf1ff1809fd9de930a286a SHA256:48f36a025311d0464ad8dda4512a20c79e279a9550f63f3179d731d94482474b Referenced In Project/Scope: waffle-spring-boot-filter2:compile jackson-core-2.13.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
General data-binding functionality for Jackson: works on core streaming API
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.13.5/jackson-databind-2.13.5.jar MD5: 1dbb98839964a6967a428d868b2d8714 SHA1: aa95e46dbc32454f3983221d420e78ef19ddf844 SHA256:5fedb24b2356491815d18267f65da9a21dd67413345ad7795f221afa25c78984 Referenced In Project/Scope: waffle-spring-boot-filter2:compile jackson-databind-2.13.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
CWE-770 Allocation of Resources Without Limits or Throttling
File Path: /home/runner/.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar MD5: 8b165cf58df5f8c2a222f637c0a07c97 SHA1: 59eb84ee0d616332ff44aba065f3888cf002cd2d SHA256:85fb03fc054cdf4efca8efd9b6712bbb418e1ab98241c4539c8585bbc23e1b8a Referenced In Project/Scope: waffle-spring-boot-filter2:compile jakarta.annotation-api-1.3.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18
File Path: /home/runner/.m2/repository/jakarta/servlet/jakarta.servlet-api/4.0.4/jakarta.servlet-api-4.0.4.jar MD5: f5d1d7a29978e4ae0be5a456ee1c65c3 SHA1: b8a1142e04838fe54194049c6e7a18dae8f9b960 SHA256:586e27706c21258f5882f43be06904f49b02db9ac54e345d393fe4a32494d127 Referenced In Project/Scope: waffle-spring-boot-filter2:provided jakarta.servlet-api-4.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna/5.16.0/jna-5.16.0.jar MD5: accc2e2b8676434a87f4f73fb4d90b44 SHA1: ebea09f91dc9f7048099f963fb8d6f919f0a4d9c SHA256:3f5233589a799eb66dc2969afa3433fb56859d3d787c58b9bc7dd9e86f0a250c Referenced In Project/Scope: waffle-spring-boot-filter2:compile jna-5.16.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.5.2-SNAPSHOT
File Path: /home/runner/.m2/repository/net/java/dev/jna/jna-platform/5.16.0/jna-platform-5.16.0.jar MD5: 12ba6b7a7752ecf0a5baed725f3192c2 SHA1: b2a9065f97c166893d504b164706512338e3bbc2 SHA256:e5a79523964509757555782bb60283e4902611013f107e4600dc93298f73f382 Referenced In Project/Scope: waffle-spring-boot-filter2:compile jna-platform-5.16.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.5.2-SNAPSHOT
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/com/google/code/findbugs/jsr305/3.0.2/jsr305-3.0.2.jar MD5: dd83accb899363c32b07d7a1b2e4ce40 SHA1: 25ea2e8b0c338a877313bd4672d3fe056ea78f0d SHA256:766ad2a0783f2687962c8ad74ceecc38a28b9f72a2d085ee438b7813e928d0c7 Referenced In Project/Scope: waffle-spring-boot-filter2:provided jsr305-3.0.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.spotbugs/spotbugs-annotations@4.8.6
File Path: /home/runner/.m2/repository/org/slf4j/jul-to-slf4j/1.7.36/jul-to-slf4j-1.7.36.jar MD5: 2a3fe73e6cafe8f102facaf2dd65353f SHA1: ed46d81cef9c412a88caef405b58f93a678ff2ca SHA256:9e641fb142c5f0b0623d6222c09ea87523a41bf6bed48ac79940724010b989de Referenced In Project/Scope: waffle-spring-boot-filter2:compile jul-to-slf4j-1.7.36.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18
The logging API of the Log4j project.
Library and application code can log through this API.
It contains a simple built-in implementation (`SimpleLogger`) for trivial use cases.
Production applications are recommended to use Log4j API in combination with a fully-fledged implementation, such as Log4j Core.
File Path: /home/runner/.m2/repository/org/apache/logging/log4j/log4j-api/2.24.3/log4j-api-2.24.3.jar MD5: d89516699543c5c21be87ee1760695f3 SHA1: b02c125db8b6d295adf72ae6e71af5d83bce2370 SHA256:5b4a0a0cd0e751ded431c162442bdbdd53328d1f8bb2bae5fc1bbeee0f66d80f Referenced In Project/Scope: waffle-spring-boot-filter2:compile log4j-api-2.24.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18
File Path: /home/runner/.m2/repository/org/apache/logging/log4j/log4j-to-slf4j/2.24.3/log4j-to-slf4j-2.24.3.jar MD5: 1f4b63f9c41f2f5179aa10b35d76e805 SHA1: da1143e2a2531ee1c2d90baa98eb50a28a39d5a7 SHA256:c7f2b0c612a4eb05b1587d1c880eb4cf5f4f53850676a8ede8da2b8fabb4f73f Referenced In Project/Scope: waffle-spring-boot-filter2:compile log4j-to-slf4j-2.24.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18
File Path: /home/runner/.m2/repository/ch/qos/logback/logback-classic/1.5.15/logback-classic-1.5.15.jar MD5: 042b4c78d1f6b7e862cc3de54e995642 SHA1: 07f8d6371626833bd1a232fe35490edffe04e5b3 SHA256:5832abd425fc3036182f02931e9a121e7b464ddf2323ef7361b863570d3c8aa2 Referenced In Project/Scope: waffle-spring-boot-filter2:compile logback-classic-1.5.15.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
File Path: /home/runner/.m2/repository/ch/qos/logback/logback-core/1.2.12/logback-core-1.2.12.jar MD5: 879d60b3fa9c6617cee4e20f12f6a16e SHA1: 1d8e51a698b138065d73baefb4f94531faa323cb SHA256:0cba0755fbdc1793f60dc9d1ef22337737899f4f28b485c42bcadacb73664b34 Referenced In Project/Scope: waffle-spring-boot-filter2:compile logback-core-1.2.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/ch.qos.logback/logback-classic@1.5.15
A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto and including version 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to
forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in XML configuration files.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-12801 for details
File Path: /home/runner/.m2/repository/org/slf4j/slf4j-api/1.7.36/slf4j-api-1.7.36.jar MD5: 872da51f5de7f3923da4de871d57fd85 SHA1: 6c62681a2f655b49963a5983b8b0950a6120ae14 SHA256:d3ef575e3e4979678dc01bf1dcce51021493b4d11fb7f1be8ad982877c16a1c0 Referenced In Project/Scope: waffle-spring-boot-filter2:compile slf4j-api-1.7.36.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-jna@3.5.2-SNAPSHOT
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar MD5: ba063b8ef3a8bfd591a1b56451166b14 SHA1: 8fde7fe2586328ac3c68db92045e1c8759125000 SHA256:f43a4e40a946b8cdfd0321bc1c9a839bc3f119c57e4ca84fb87c367f51c8b2b3 Referenced In Project/Scope: waffle-spring-boot-filter2:compile snakeyaml-1.30.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
CWE-502 Deserialization of Untrusted Data, CWE-20 Improper Input Validation
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html
File Path: /home/runner/.m2/repository/com/github/spotbugs/spotbugs-annotations/4.8.6/spotbugs-annotations-4.8.6.jar MD5: 0806b237c67c69869506ce3ced9a722f SHA1: 1dcffed3e561ed32134a0dff4717f19bc2fdf4d8 SHA256:4548b74a815ed44f5480ca4f06204a8b00809dc7e5f6a825a9edf18f40377b65 Referenced In Project/Scope: waffle-spring-boot-filter2:provided spotbugs-annotations-4.8.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot/2.7.18/spring-boot-2.7.18.jar MD5: 0941c83c25204150f8bd73ae66c63fd1 SHA1: f6dbdd8da7c2bded63dff9b1f48d01a4923f20a0 SHA256:530f4e0fdfeb3a0e2b3a369d15cdea38fbdc1696f8b030c35a6ad65c27524950 Referenced In Project/Scope: waffle-spring-boot-filter2:compile spring-boot-2.7.18.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18
Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container
License:
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/boot/spring-boot-starter-web/2.7.18/spring-boot-starter-web-2.7.18.jar MD5: e0bfe77aa7415f3b86d70d41cf425ccd SHA1: 0dd62ea85098187b4604e78dc15a7ff87dba173d SHA256:a74fab5f826b600e3c3f4cd7028c5c982b0bf1b849673629cbb758ae790a4c08 Referenced In Project/Scope: waffle-spring-boot-filter2:compile spring-boot-starter-web-2.7.18.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle.demo/waffle-spring-boot-filter2@3.5.2-SNAPSHOT
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
spring-boot-starter-web
High
Vendor
hint analyzer
vendor
pivotal software
Highest
Vendor
hint analyzer
vendor
SpringSource
Highest
Vendor
hint analyzer
vendor
vmware
Highest
Vendor
Manifest
automatic-module-name
spring.boot.starter.web
Medium
Vendor
Manifest
build-jdk-spec
1.8
Low
Vendor
Manifest
spring-boot-jar-type
dependencies-starter
Low
Vendor
pom
artifactid
spring-boot-starter-web
Highest
Vendor
pom
artifactid
spring-boot-starter-web
Low
Vendor
pom
developer email
ask@spring.io
Low
Vendor
pom
developer name
Spring
Medium
Vendor
pom
developer org
VMware, Inc.
Medium
Vendor
pom
developer org URL
https://www.spring.io
Medium
Vendor
pom
groupid
org.springframework.boot
Highest
Vendor
pom
name
spring-boot-starter-web
High
Vendor
pom
organization name
VMware, Inc.
High
Vendor
pom
organization url
https://spring.io
Medium
Vendor
pom
url
https://spring.io/projects/spring-boot
Highest
Product
file
name
spring-boot-starter-web
High
Product
Manifest
automatic-module-name
spring.boot.starter.web
Medium
Product
Manifest
build-jdk-spec
1.8
Low
Product
Manifest
Implementation-Title
Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/spring-core/5.3.31/spring-core-5.3.31.jar MD5: a9ef5a29eaa89fe909a0c4ed870d90a1 SHA1: 368e76f732a3c331b970f69cafec1525d27b34d3 SHA256:7013ed3da15a8d4be797f5c310f9aa1b196b97f2313bc41e60ef3f5627224fe9 Referenced In Project/Scope: waffle-spring-boot-filter2:compile spring-core-5.3.31.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter@2.7.18
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
NVD-CWE-noinfo, CWE-178 Improper Handling of Case Sensitivity
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/spring-expression/5.3.31/spring-expression-5.3.31.jar MD5: 9e309bb1a738acbd0ac9c9fc58931fd3 SHA1: 55637af1b186d1008890980c2876c5fc83599756 SHA256:e027f122b8a4e3030339068220bed02d1c9d397eb5897f1e33ba2f63b22591ac Referenced In Project/Scope: waffle-spring-boot-filter2:compile spring-expression-5.3.31.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT
In Spring Framework versions 5.3.0 - 5.3.38 and older unsupported versions, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) expression that may cause a denial of service (DoS) condition.
Specifically, an application is vulnerable when the following is true:
* The application evaluates user-supplied SpEL expressions.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-38808 for details
CWE-770 Allocation of Resources Without Limits or Throttling
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
NVD-CWE-noinfo, CWE-178 Improper Handling of Case Sensitivity
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/security/spring-security-core/5.8.16/spring-security-core-5.8.16.jar MD5: c70ae997256d27ca6fb1c7a8b24e4248 SHA1: b3d21a1f967db39dabaca487ba3fe58972e6a9a5 SHA256:3be7d217048f5ea76fd6d0eddaa3169ad3bee0bba9c456e27670ec37ca33c3fd Referenced In Project/Scope: waffle-spring-boot-filter2:compile spring-security-core-5.8.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/security/spring-security-crypto/5.8.16/spring-security-crypto-5.8.16.jar MD5: 987ca02bb810d32c7d86968ff84e887c SHA1: 340f3bb882bea8e9eafc66671d4c8e50f11867a7 SHA256:e47acdd647997efb36609698b64a2bec37fa119210f88fad813aa53610433cfd Referenced In Project/Scope: waffle-spring-boot-filter2:compile spring-security-crypto-5.8.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.github.waffle/waffle-spring-boot-starter2@3.5.2-SNAPSHOT
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-5408 for details
CWE-329 Generation of Predictable IV with CBC Mode
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/security/spring-security-web/5.8.16/spring-security-web-5.8.16.jar MD5: 137862bb11c72092dd94d14d380fc784 SHA1: fade885f7f9df056dd5e3592d949e888cd82397d SHA256:fe0843587f4dff188a1ecb822bf544c5f1c1ee46c757858a5a585039d8118304 Referenced In Project/Scope: waffle-spring-boot-filter2:compile spring-security-web-5.8.16.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-security@2.7.18
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/spring-web/5.3.31/spring-web-5.3.31.jar MD5: 4bef28044f222933ea2e45818c7f96a1 SHA1: 3bf73c385a1f2f4a0d482149d6a205e854cec497 SHA256:7b7b4db19acc8c0cdb0dea93a3aa4b1b706db4bcc7b77f677a0c56e86d379ac7 Referenced In Project/Scope: waffle-spring-boot-filter2:compile spring-web-5.3.31.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Applications that parse ETags from "If-Match" or "If-None-Match" request headers are vulnerable to DoS attack.
Users of affected versions should upgrade to the corresponding fixed version.
Users of older, unsupported versions could enforce a size limit on "If-Match" and "If-None-Match" headers, e.g. through a Filter.
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-22243 for details
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
NVD-CWE-noinfo, CWE-178 Improper Handling of Case Sensitivity
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/runner/.m2/repository/org/springframework/spring-webmvc/5.3.31/spring-webmvc-5.3.31.jar MD5: 7401b647e906d3853ad02b62496cfadf SHA1: 45754d056effe8257a012f6b98ed5454cf1e8960 SHA256:29c1b96c424dcb637fec2d1e6493b088d977e748a56da7f34e6a7c3c39d18c74 Referenced In Project/Scope: waffle-spring-boot-filter2:compile spring-webmvc-5.3.31.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.
Specifically, an application is vulnerable when both of the following are true:
* the web application uses RouterFunctions to serve static resources
* resource handling is explicitly configured with a FileSystemResource location
However, malicious requests are blocked and rejected when any of the following is true:
* the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html is in use
* the application runs on Tomcat or Jetty
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
NVD-CWE-noinfo, CWE-178 Improper Handling of Case Sensitivity
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.83/tomcat-embed-core-9.0.83.jar MD5: d4e2068023fe800fd22a9fe2529c290b SHA1: d771e4343b0515c67dab2a09fe02f5d47550153f SHA256:4ed404d5dea8652846f3c52c094764c2ec018f28a3561f1d27df700f7aa5b376 Referenced In Project/Scope: waffle-spring-boot-filter2:compile tomcat-embed-core-9.0.83.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/runner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/9.0.83/tomcat-embed-el-9.0.83.jar MD5: eabd7f3ade6cb0cf36f7b238897b8f1d SHA1: b0cdada70099c25f45fceb48e1ebce60d138a5ce SHA256:a82c4cf8cf9e88d6891cbb4cbcb9f85f788e147c464cbeba15a2c83276f3344c Referenced In Project/Scope: waffle-spring-boot-filter2:compile tomcat-embed-el-9.0.83.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@2.7.18