spring-boot-starter-web-1.5.5.RELEASE.jar: 142 vulnerabilities (highest severity is: 10.0) reachable #3

mend-for-github-com · 2025-02-11T08:44:19Z

Vulnerable Library - spring-boot-starter-web-1.5.5.RELEASE.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-boot-starter-web version)	Remediation Possible**	Reachability
CVE-2018-14721	Critical	10.0	jackson-databind-2.8.9.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2022-22965	Critical	9.8	spring-beans-4.3.10.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2020-9548	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-9547	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-9546	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-8840	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-20330	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-17531	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2019-17267	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-16943	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-16942	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-16335	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-14893	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-14892	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-14540	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-14379	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-10202	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.1.6.RELEASE	✅	Reachable
CVE-2018-7489	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2018-19362	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-19361	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-19360	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-14720	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-14719	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2018-14718	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	1.5.18.RELEASE	✅	Reachable
CVE-2018-11307	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	1.5.14.RELEASE	✅	Reachable
CVE-2017-5929	Critical	9.8	detected in multiple dependencies	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2017-17485	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2017-15095	Critical	9.8	jackson-databind-2.8.9.jar	Transitive	1.5.7.RELEASE	✅	Reachable
CVE-2020-11113	High	8.8	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-11112	High	8.8	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-11111	High	8.8	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-10969	High	8.8	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-10968	High	8.8	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-10673	High	8.8	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-10672	High	8.8	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2022-1471	High	8.3	snakeyaml-1.17.jar	Transitive	3.2.0	✅	Reachable
CVE-2024-22262	High	8.1	spring-web-4.3.10.RELEASE.jar	Transitive	3.0.0	✅	Reachable
CVE-2024-22259	High	8.1	spring-web-4.3.10.RELEASE.jar	Transitive	3.0.0	✅	Reachable
CVE-2024-22243	High	8.1	spring-web-4.3.10.RELEASE.jar	Transitive	3.0.0	✅	Reachable
CVE-2021-20190	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36189	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36188	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36187	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36186	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36185	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36184	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36183	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36182	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36181	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36180	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-36179	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-24750	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-24616	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-14195	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-14062	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-14061	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-14060	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2020-11620	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-11619	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2020-10650	High	8.1	jackson-databind-2.8.9.jar	Transitive	2.2.0.RELEASE	✅	Reachable
CVE-2018-5968	High	8.1	jackson-databind-2.8.9.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2017-12617	High	8.1	tomcat-embed-core-8.5.16.jar	Transitive	1.5.8.RELEASE	✅	Reachable
CVE-2022-27772	High	7.8	spring-boot-1.5.5.RELEASE.jar	Transitive	2.2.11.RELEASE	✅	Reachable
WS-2022-0468	High	7.5	jackson-core-2.8.9.jar	Transitive	3.1.0	✅	Reachable
CVE-2024-38819	High	7.5	spring-webmvc-4.3.10.RELEASE.jar	Transitive	3.2.11	✅	Reachable
CVE-2024-38816	High	7.5	spring-webmvc-4.3.10.RELEASE.jar	Transitive	3.2.10	✅	Reachable
CVE-2024-24549	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-46589	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-44487	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	N/A*	❌	Reachable
CVE-2023-24998	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2022-42252	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	N/A*	❌	Reachable
CVE-2022-42004	High	7.5	jackson-databind-2.8.9.jar	Transitive	2.6.0	✅	Reachable
CVE-2022-42003	High	7.5	jackson-databind-2.8.9.jar	Transitive	2.6.0	✅	Reachable
CVE-2022-25857	High	7.5	snakeyaml-1.17.jar	Transitive	3.0.0	✅	Reachable
CVE-2021-41079	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2021-25122	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2020-36518	High	7.5	jackson-databind-2.8.9.jar	Transitive	2.5.15	✅	Reachable
CVE-2020-17527	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2020-13934	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2019-17563	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2019-14439	High	7.5	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-12086	High	7.5	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-10072	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	1.5.22.RELEASE	✅	Reachable
CVE-2019-0199	High	7.5	tomcat-embed-core-8.5.16.jar	Transitive	1.5.20.RELEASE	✅	Reachable
CVE-2018-15756	High	7.5	spring-web-4.3.10.RELEASE.jar	Transitive	1.5.17.RELEASE	✅	Reachable
CVE-2018-1272	High	7.5	spring-core-4.3.10.RELEASE.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2018-12023	High	7.5	jackson-databind-2.8.9.jar	Transitive	1.5.14.RELEASE	✅	Reachable
CVE-2018-12022	High	7.5	jackson-databind-2.8.9.jar	Transitive	1.5.14.RELEASE	✅	Reachable
CVE-2018-11040	High	7.5	detected in multiple dependencies	Transitive	1.5.14.RELEASE	✅	Reachable
CVE-2017-18640	High	7.5	snakeyaml-1.17.jar	Transitive	2.3.0.RELEASE	✅	Reachable
CVE-2023-6481	High	7.1	logback-core-1.1.11.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2023-6378	High	7.1	logback-classic-1.1.11.jar	Transitive	3.2.1	✅	Reachable
CVE-2021-25329	High	7.0	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2020-9484	High	7.0	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2017-7536	High	7.0	hibernate-validator-5.3.5.Final.jar	Transitive	1.5.9.RELEASE	✅	Reachable
CVE-2024-12798	Medium	6.6	detected in multiple dependencies	Transitive	N/A*	❌	Reachable
CVE-2021-42550	Medium	6.6	detected in multiple dependencies	Transitive	2.5.8	✅	Reachable
CVE-2023-20863	Medium	6.5	spring-expression-4.3.10.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2023-20861	Medium	6.5	spring-expression-4.3.10.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2022-38752	Medium	6.5	snakeyaml-1.17.jar	Transitive	3.0.0	✅	Reachable
CVE-2022-38751	Medium	6.5	snakeyaml-1.17.jar	Transitive	3.0.0	✅	Reachable
CVE-2022-38750	Medium	6.5	snakeyaml-1.17.jar	Transitive	3.0.0	✅	Reachable
CVE-2022-38749	Medium	6.5	snakeyaml-1.17.jar	Transitive	3.0.0	✅	Reachable
CVE-2022-22950	Medium	6.5	spring-expression-4.3.10.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2021-30640	Medium	6.5	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2020-5421	Medium	6.5	spring-web-4.3.10.RELEASE.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2023-41080	Medium	6.1	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-1932	Medium	6.1	hibernate-validator-5.3.5.Final.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2021-24122	Medium	5.9	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2019-12814	Medium	5.9	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2019-12384	Medium	5.9	jackson-databind-2.8.9.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2018-8037	Medium	5.9	tomcat-embed-core-8.5.16.jar	Transitive	1.5.15.RELEASE	✅	Reachable
CVE-2018-1271	Medium	5.9	spring-webmvc-4.3.10.RELEASE.jar	Transitive	1.5.11.RELEASE	✅	Reachable
CVE-2018-11039	Medium	5.9	spring-web-4.3.10.RELEASE.jar	Transitive	1.5.14.RELEASE	✅	Reachable
CVE-2022-41854	Medium	5.8	snakeyaml-1.17.jar	Transitive	3.0.0	✅	Reachable
CVE-2024-38828	Medium	5.3	spring-webmvc-4.3.10.RELEASE.jar	Transitive	N/A*	❌	Reachable
CVE-2024-38809	Medium	5.3	spring-web-4.3.10.RELEASE.jar	Transitive	3.0.0	✅	Reachable
CVE-2024-21733	Medium	5.3	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-45648	Medium	5.3	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2023-42795	Medium	5.3	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2022-22970	Medium	5.3	detected in multiple dependencies	Transitive	2.4.0	✅	Reachable
CVE-2022-22968	Medium	5.3	spring-context-4.3.10.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2021-33037	Medium	5.3	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2020-10693	Medium	5.3	hibernate-validator-5.3.5.Final.jar	Transitive	2.0.0.RELEASE	✅	Reachable
CVE-2018-1199	Medium	5.3	spring-core-4.3.10.RELEASE.jar	Transitive	1.5.10.RELEASE	✅	Reachable
CVE-2020-1935	Medium	4.8	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2024-12801	Medium	4.4	logback-core-1.1.11.jar	Transitive	N/A*	❌	Reachable
CVE-2024-38808	Medium	4.3	spring-expression-4.3.10.RELEASE.jar	Transitive	3.0.0	✅	Reachable
CVE-2023-28708	Medium	4.3	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2021-22096	Medium	4.3	detected in multiple dependencies	Transitive	2.4.0	✅	Reachable
CVE-2021-22060	Medium	4.3	spring-core-4.3.10.RELEASE.jar	Transitive	2.4.0	✅	Reachable
CVE-2020-13943	Medium	4.3	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2021-43980	Low	3.7	tomcat-embed-core-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Reachable
CVE-2024-38820	Low	3.1	spring-context-4.3.10.RELEASE.jar	Transitive	3.2.11	✅	Reachable
CVE-2018-8014	Critical	9.8	tomcat-embed-core-8.5.16.jar	Transitive	1.5.15.RELEASE	✅	Unreachable
CVE-2016-1000027	Critical	9.8	spring-web-4.3.10.RELEASE.jar	Transitive	2.0.0.RELEASE	✅	Unreachable
CVE-2019-0232	High	8.1	tomcat-embed-core-8.5.16.jar	Transitive	1.5.21.RELEASE	✅	Unreachable
CVE-2023-20883	High	7.5	spring-boot-autoconfigure-1.5.5.RELEASE.jar	Transitive	2.5.15	✅	Unreachable
CVE-2020-13935	High	7.5	tomcat-embed-websocket-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Unreachable
CVE-2018-8034	High	7.5	tomcat-embed-websocket-8.5.16.jar	Transitive	1.5.15.RELEASE	✅	Unreachable
CVE-2024-23672	Medium	6.3	tomcat-embed-websocket-8.5.16.jar	Transitive	2.1.0.RELEASE	✅	Unreachable
CVE-2019-0221	Medium	6.1	tomcat-embed-core-8.5.16.jar	Transitive	1.5.21.RELEASE	✅	Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (2 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2018-14721

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://fasterxml.com/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

spring-boot-starter-web-1.5.5.RELEASE.jar (Root Library)
- ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.controller.AbstractController (Application)
  -> org.springframework.web.context.support.StaticWebApplicationContext (Extension)
   -> org.springframework.web.filter.HttpPutFormContentFilter (Extension)
    -> org.springframework.http.converter.support.AllEncompassingFormHttpMessageConverter (Extension)
     -> org.springframework.http.converter.json.MappingJackson2HttpMessageConverter (Extension)
      -> com.fasterxml.jackson.databind.ObjectMapper (Extension)
       -> ❌ com.fasterxml.jackson.databind.deser.BeanDeserializerFactory (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.6.7.3,2.7.9.5,2.8.11.3,2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-22965

Vulnerable Library - spring-beans-4.3.10.RELEASE.jar

Spring Beans

Library home page: http://projects.spring.io/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.10.RELEASE/spring-beans-4.3.10.RELEASE.jar

Dependency Hierarchy:

spring-boot-starter-web-1.5.5.RELEASE.jar (Root Library)
- spring-boot-starter-1.5.5.RELEASE.jar
  - spring-boot-1.5.5.RELEASE.jar
    - spring-context-4.3.10.RELEASE.jar
      - spring-aop-4.3.10.RELEASE.jar
        
        ❌ spring-beans-4.3.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 21d02aa2a835d033894b1b2e4c4fdadc665ed2b9

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.t246osslab.easybuggy4sb.controller.AbstractController (Application)
  -> org.springframework.context.support.AbstractApplicationContext (Extension)
   -> ❌ org.springframework.beans.CachedIntrospectionResults (Vulnerable Component)

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

The text was updated successfully, but these errors were encountered:

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Feb 11, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

spring-boot-starter-web-1.5.5.RELEASE.jar: 142 vulnerabilities (highest severity is: 10.0) reachable #3

spring-boot-starter-web-1.5.5.RELEASE.jar: 142 vulnerabilities (highest severity is: 10.0) reachable #3

mend-for-github-com bot commented Feb 11, 2025 •

edited

Loading

Vulnerable Library - jackson-databind-2.8.9.jar

Reachability Analysis

Vulnerability Details

CVSS 3 Score Details (10.0)

Suggested Fix

Vulnerable Library - spring-beans-4.3.10.RELEASE.jar

Reachability Analysis

Vulnerability Details

CVSS 3 Score Details (9.8)

Suggested Fix

spring-boot-starter-web-1.5.5.RELEASE.jar: 142 vulnerabilities (highest severity is: 10.0) reachable #3

spring-boot-starter-web-1.5.5.RELEASE.jar: 142 vulnerabilities (highest severity is: 10.0) reachable #3

Comments

mend-for-github-com bot commented Feb 11, 2025 • edited Loading

Vulnerabilities

Details

Vulnerable Library - jackson-databind-2.8.9.jar

Reachability Analysis

Vulnerability Details

CVSS 3 Score Details (10.0)

Suggested Fix

Vulnerable Library - spring-beans-4.3.10.RELEASE.jar

Reachability Analysis

Vulnerability Details

CVSS 3 Score Details (9.8)

Suggested Fix

mend-for-github-com bot commented Feb 11, 2025 •

edited

Loading