Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

springfox-boot-starter-3.0.0.jar: 3 vulnerabilities (highest severity is: 7.5) unreachable #4

Open
mend-for-github-com bot opened this issue May 1, 2023 · 0 comments
Open

springfox-boot-starter-3.0.0.jar: 3 vulnerabilities (highest severity is: 7.5) unreachable #4

mend-for-github-com bot opened this issue May 1, 2023 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented May 1, 2023
edited
Loading

Vulnerable Library - springfox-boot-starter-3.0.0.jar

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.springfox/springfox-swagger2/3.0.0/7bcb18d496576eff76ef7bb72684e149cbb75c1d/springfox-swagger2-3.0.0.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (springfox-boot-starter version) Remediation Possible** Reachability
CVE-2021-47621 High 7.5 classgraph-4.8.83.jar Transitive N/A*

Unreachable
WS-2020-0407 Medium 4.3 springfox-swagger2-3.0.0.jar Transitive N/A*

Unreachable
CVE-2018-25031 Medium 4.3 springfox-swagger-ui-3.0.0.jar Transitive N/A*

Unreachable

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-47621

Vulnerable Library - classgraph-4.8.83.jar

The uber-fast, ultra-lightweight classpath and module scanner for JVM languages.

Library home page: https://github.com/classgraph/classgraph

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.github.classgraph/classgraph/4.8.83/7be289f451cedf9e35ed97caba3953226b4e6d9/classgraph-4.8.83.jar

Dependency Hierarchy:

  • springfox-boot-starter-3.0.0.jar (Root Library)
    • springfox-oas-3.0.0.jar
      • springfox-spring-web-3.0.0.jar
        • classgraph-4.8.83.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.

Publish Date: 2024-06-21

URL: CVE-2021-47621

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2021-47621

Release Date: 2024-06-21

Fix Resolution: io.github.classgraph:classgraph:4.8.112

WS-2020-0407

Vulnerable Library - springfox-swagger2-3.0.0.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.springfox/springfox-swagger2/3.0.0/7bcb18d496576eff76ef7bb72684e149cbb75c1d/springfox-swagger2-3.0.0.jar

Dependency Hierarchy:

  • springfox-boot-starter-3.0.0.jar (Root Library)
    • springfox-swagger2-3.0.0.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

An issue was found in io.springfox:springfox-swagger2. This vulnerability can lead to “Log injection” - whereas untrusted data gets written into log files/entries. It allows attackers to forge log entries or inject malicious content into the logs.

Publish Date: 2020-09-09

URL: WS-2020-0407

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2018-25031

Vulnerable Library - springfox-swagger-ui-3.0.0.jar

JSON API documentation for spring based applications

Library home page: https://github.com/springfox/springfox

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.springfox/springfox-swagger-ui/3.0.0/1e665fbe22148f7c36fa8a08e515a0047cd4390b/springfox-swagger-ui-3.0.0.jar

Dependency Hierarchy:

  • springfox-boot-starter-3.0.0.jar (Root Library)
    • springfox-swagger-ui-3.0.0.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions. Note: This was originally claimed to be resolved in 4.1.3. However, third parties have indicated this is not resolved in 4.1.3 and even occurs in that version and possibly others.
Mend Note: Converted from WS-2021-0461, on 2022-12-21.

Publish Date: 2022-03-11

URL: CVE-2018-25031

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qrmm-w75w-3wpx

Release Date: 2022-03-11

Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label May 1, 2023
@mend-for-github-com mend-for-github-com bot changed the title springfox-boot-starter-3.0.0.jar: 2 vulnerabilities (highest severity is: 4.3) springfox-boot-starter-3.0.0.jar: 1 vulnerabilities (highest severity is: 4.3) Mar 21, 2024
@mend-for-github-com mend-for-github-com bot changed the title springfox-boot-starter-3.0.0.jar: 1 vulnerabilities (highest severity is: 4.3) springfox-boot-starter-3.0.0.jar: 2 vulnerabilities (highest severity is: 4.3) Apr 9, 2024
@mend-for-github-com mend-for-github-com bot changed the title springfox-boot-starter-3.0.0.jar: 2 vulnerabilities (highest severity is: 4.3) springfox-boot-starter-3.0.0.jar: 3 vulnerabilities (highest severity is: 6.5) Jun 25, 2024
@mend-for-github-com mend-for-github-com bot changed the title springfox-boot-starter-3.0.0.jar: 3 vulnerabilities (highest severity is: 6.5) springfox-boot-starter-3.0.0.jar: 3 vulnerabilities (highest severity is: 7.5) Aug 20, 2024
@mend-for-github-com mend-for-github-com bot changed the title springfox-boot-starter-3.0.0.jar: 3 vulnerabilities (highest severity is: 7.5) springfox-boot-starter-3.0.0.jar: 3 vulnerabilities (highest severity is: 7.5) unreachable Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants