[Snyk] Security upgrade org.springframework.boot:spring-boot-starter-test from 2.0.0.RELEASE to 3.1.9 by weinrich15 · Pull Request #29 · LegitAJ/JavaVulnerableLab

weinrich15 · 2024-02-23T03:50:06Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Upgrade	Breaking Change	Exploit Maturity
	506/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 3.7	Buffer Overflow SNYK-JAVA-COMJAYWAYJSONPATH-6140361	`org.springframework.boot:spring-boot-starter-test:` `2.0.0.RELEASE -> 3.1.9`	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-COMJAYWAYJSONPATH-6140361

weinrich15 · 2024-02-23T03:53:36Z

Checkmarx One – Scan Summary & Details – 974ddaff-3c2e-4056-bf1f-8ac53961d182

New Issues

Issue	Source File / Package	Checkmarx Insight
CVE-2015-4852	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2015-6420	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2015-7501	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2016-10707	Npm-jquery-1.6.4	Vulnerable Package
CVE-2016-2170	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2022-4492	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2022-45688	Maven-org.json:json-20131018	Vulnerable Package
CVE-2023-1108	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2023-24998	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	Vulnerable Package
CVE-2023-44487	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	Vulnerable Package
CVE-2023-5072	Maven-org.json:json-20131018	Vulnerable Package
CVE-2023-5379	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2007-2379	Npm-jquery-1.6.4	Vulnerable Package
CVE-2012-6708	Npm-jquery-1.6.4	Vulnerable Package
CVE-2014-6071	Npm-jquery-1.6.4	Vulnerable Package
CVE-2015-9251	Npm-jquery-1.6.4	Vulnerable Package
CVE-2019-11358	Npm-jquery-1.6.4	Vulnerable Package
CVE-2020-11022	Npm-jquery-1.6.4	Vulnerable Package
CVE-2020-11023	Npm-jquery-1.6.4	Vulnerable Package
CVE-2020-7656	Npm-jquery-1.6.4	Vulnerable Package
CVE-2023-42795	Maven-org.apache.tomcat:tomcat-util-9.0.22	Vulnerable Package
CVE-2023-42795	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	Vulnerable Package
CVE-2023-45648	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	Vulnerable Package
CVE-2024-21733	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	Vulnerable Package
Cxf0b588a3-5c6f	Npm-jquery-1.6.4	Vulnerable Package
RDS With Backup Disabled	/rds.tf: 1	Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup
Unpinned Actions Full Length Commit SHA	/cx.yml: 13	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Heap_Inspection	/src/main/webapp/vulnerability/csrf/changepassword.jsp: 34	Attack Vector
Heap_Inspection	/src/main/webapp/vulnerability/Injection/orm.jsp: 31	Attack Vector
Heap_Inspection	/src/main/java/org/cysecurity/cspf/jvl/model/DBConnect.java: 28	Attack Vector
Heap_Inspection	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 33	Attack Vector
Use_Of_Hardcoded_Password	/src/main/java/org/cysecurity/cspf/jvl/controller/rds.java: 8	Attack Vector
Use_Of_Hardcoded_Password_In_Config	/src/main/webapp/WEB-INF/config.properties: 6	Attack Vector

Fixed Issues

Severity	Issue	Source File / Package
	CVE-2017-18640	Maven-org.yaml:snakeyaml-1.19
	CVE-2018-1272	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2021-27568	Maven-net.minidev:json-smart-2.3
	CVE-2021-31684	Maven-net.minidev:json-smart-2.3
	CVE-2022-22965	Maven-org.springframework:spring-beans-5.0.4.RELEASE
	CVE-2022-25857	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-27772	Maven-org.springframework.boot:spring-boot-2.0.0.RELEASE
	Cx6a5f7948-7054	Maven-commons-collections:commons-collections-3.2.1
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 12
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 12
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 11
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	CVE-2021-22060	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2021-22096	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2021-42550	Maven-ch.qos.logback:logback-classic-1.2.3
	CVE-2021-42550	Maven-ch.qos.logback:logback-core-1.2.3
	CVE-2022-22950	Maven-org.springframework:spring-expression-5.0.4.RELEASE
	CVE-2022-22950	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2022-22968	Maven-org.springframework:spring-context-5.0.4.RELEASE
	CVE-2022-22970	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2022-22970	Maven-org.springframework:spring-beans-5.0.4.RELEASE
	CVE-2022-22971	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2022-38749	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-38750	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-38751	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-38752	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-41854	Maven-org.yaml:snakeyaml-1.19
	Cleartext_Submission_of_Sensitive_Information	/src/main/webapp/ForgotPassword.jsp: 44
	External_Control_of_System_or_Config_Setting	/src/main/webapp/vulnerability/baasm/SiteTitle.jsp: 32
	External_Control_of_System_or_Config_Setting	/src/main/webapp/admin/Configure.jsp: 21
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 55
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 59
	Frameable_Login_Page	/src/main/webapp/login.jsp: 1
	HttpOnlyCookies_In_Config	/src/main/webapp/WEB-INF/web.xml: 0
	Input_Path_Not_Canonicalized	/src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java: 39
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/idor/download.jsp: 11
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/idor/download.jsp: 11
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 29
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 29
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/sqli/download_id.jsp: 29
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/sqli/download_id.jsp: 29
	Stored_Absolute_Path_Traversal	/src/main/webapp/vulnerability/sqli/download_id.jsp: 29
	Stored_Absolute_Path_Traversal	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 29
	Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions	/src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java: 45
	Escape_False	/src/main/webapp/WEB-INF/AdminPanel.jsp: 5
	Escape_False	/src/main/webapp/vulnerability/xss/xss4.jsp: 15
	Escape_False	/src/main/webapp/vulnerability/xss/search.jsp: 21
	Escape_False	/src/main/webapp/vulnerability/unvalidated/OpenURL.jsp: 3
	Escape_False	/src/main/webapp/vulnerability/unvalidated/OpenForward.jsp: 5
	Escape_False	/src/main/webapp/vulnerability/unvalidated/OpenForward.jsp: 4
	Escape_False	/src/main/webapp/vulnerability/unvalidated/OpenForward.jsp: 3
	Escape_False	/src/main/webapp/vulnerability/SendMessage.jsp: 21
	Escape_False	/src/main/webapp/vulnerability/Injection/xxe.jsp: 8
	Escape_False	/src/main/webapp/vulnerability/Injection/xpath_login.jsp: 4
	Escape_False	/src/main/webapp/login.jsp: 23
	Escape_False	/src/main/webapp/login.jsp: 22
	Escape_False	/src/main/webapp/header.jsp: 165
	Escape_False	/src/main/webapp/header.jsp: 157
	Escape_False	/src/main/webapp/header.jsp: 140
	Escape_False	/src/main/webapp/header.jsp: 134
	Escape_False	/src/main/webapp/header.jsp: 132
	Escape_False	/src/main/webapp/header.jsp: 122
	Escape_False	/src/main/webapp/header.jsp: 121
	Escape_False	/src/main/webapp/header.jsp: 116
	Escape_False	/src/main/webapp/header.jsp: 115
	Escape_False	/src/main/webapp/header.jsp: 114
	Escape_False	/src/main/webapp/header.jsp: 113
	Escape_False	/src/main/webapp/header.jsp: 108
	Escape_False	/src/main/webapp/header.jsp: 107
	Escape_False	/src/main/webapp/header.jsp: 106
	Escape_False	/src/main/webapp/header.jsp: 105
	Escape_False	/src/main/webapp/header.jsp: 99
	Escape_False	/src/main/webapp/header.jsp: 98
	Escape_False	/src/main/webapp/header.jsp: 97
	Escape_False	/src/main/webapp/header.jsp: 91
	Escape_False	/src/main/webapp/header.jsp: 89
	Escape_False	/src/main/webapp/header.jsp: 87
	Escape_False	/src/main/webapp/header.jsp: 81
	Escape_False	/src/main/webapp/header.jsp: 79
	Escape_False	/src/main/webapp/header.jsp: 78
	Escape_False	/src/main/webapp/header.jsp: 78
	Escape_False	/src/main/webapp/header.jsp: 72
	Escape_False	/src/main/webapp/header.jsp: 71
	Escape_False	/src/main/webapp/header.jsp: 70
	Escape_False	/src/main/webapp/header.jsp: 69
	Escape_False	/src/main/webapp/header.jsp: 60
	Escape_False	/src/main/webapp/header.jsp: 59
	Escape_False	/src/main/webapp/header.jsp: 59
	Escape_False	/src/main/webapp/header.jsp: 58
	Escape_False	/src/main/webapp/header.jsp: 57
	Escape_False	/src/main/webapp/header.jsp: 50
	Escape_False	/src/main/webapp/header.jsp: 46
	Escape_False	/src/main/webapp/header.jsp: 45
	Escape_False	/src/main/webapp/header.jsp: 40
	Escape_False	/src/main/webapp/header.jsp: 35
	Escape_False	/src/main/webapp/header.jsp: 34
	Escape_False	/src/main/webapp/header.jsp: 33
	Escape_False	/src/main/webapp/header.jsp: 32
	Escape_False	/src/main/webapp/header.jsp: 26
	Escape_False	/src/main/webapp/header.jsp: 17
	Escape_False	/src/main/webapp/header.jsp: 16
	Improper_Resource_Access_Authorization	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 43
	Improper_Resource_Access_Authorization	/src/main/webapp/vulnerability/sqli/download_id.jsp: 43
	Improper_Resource_Access_Authorization	/src/main/webapp/vulnerability/idor/download.jsp: 24
	Improper_Resource_Access_Authorization	/src/main/webapp/vulnerability/baasm/SiteTitle.jsp: 31
	Improper_Resource_Access_Authorization	/src/main/webapp/header.jsp: 9
	Improper_Resource_Access_Authorization	/src/main/webapp/admin/Configure.jsp: 20
	Improper_Resource_Access_Authorization	/src/main/java/org/cysecurity/cspf/jvl/model/DBConnect.java: 26
	Improper_Resource_Access_Authorization	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 65
	Improper_Resource_Access_Authorization	/src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java: 53
	Improper_Resource_Access_Authorization	/src/main/java/org/cysecurity/cspf/jvl/controller/Unsecure_Storage_of_Encryption_Key.java: 26

More results are available on AST platform

fix: pom.xml to reduce vulnerabilities

47714c8

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-COMJAYWAYJSONPATH-6140361

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

[Snyk] Security upgrade org.springframework.boot:spring-boot-starter-test from 2.0.0.RELEASE to 3.1.9#29

[Snyk] Security upgrade org.springframework.boot:spring-boot-starter-test from 2.0.0.RELEASE to 3.1.9#29
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-d0c862349bbe5e6741b1e0cbce68746b

weinrich15 commented Feb 23, 2024

Uh oh!

weinrich15 commented Feb 23, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

Conversation

weinrich15 commented Feb 23, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

Uh oh!

weinrich15 commented Feb 23, 2024

New Issues

Fixed Issues

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants