[Snyk] Security upgrade org.springframework.boot:spring-boot-starter-test from 2.0.0.RELEASE to 3.3.7 by weinrich15 · Pull Request #43 · LegitAJ/JavaVulnerableLab

weinrich15 · 2025-01-26T05:52:06Z

Snyk has created this PR to fix 3 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue	Score	Upgrade
Improper Neutralization of Special Elements SNYK-JAVA-CHQOSLOGBACK-8539866	509	org.springframework.boot:spring-boot-starter-test: `2.0.0.RELEASE` -> `3.3.7` `Major version upgrade` `No Known Exploit`
Improper Neutralization of Special Elements SNYK-JAVA-CHQOSLOGBACK-8539867	509	org.springframework.boot:spring-boot-starter-test: `2.0.0.RELEASE` -> `3.3.7` `Major version upgrade` `No Known Exploit`
Server-side Request Forgery (SSRF) SNYK-JAVA-CHQOSLOGBACK-8539865	334	org.springframework.boot:spring-boot-starter-test: `2.0.0.RELEASE` -> `3.3.7` `Major version upgrade` `No Known Exploit`

Important

Check the changes in this PR to ensure they won't cause issues with your project.
Max score is 1000. Note that the real score may have changed since the PR was raised.
This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-8539866 - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-8539867 - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-8539865

weinrich15 · 2025-01-26T05:55:33Z

Checkmarx One – Scan Summary & Details – 4eb21d31-052d-4cfd-9401-339912fe00c3

New Issues (72)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2023-1973	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2023-3223	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2023-4639	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2024-1635	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2024-38286	Maven-org.apache.tomcat:tomcat-coyote-9.0.22	Vulnerable Package
CVE-2024-4109	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2024-7885	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
Reflected_XSS_All_Clients	/src/main/webapp/admin/adminlogin.jsp: 68	details The method adminlogin embeds untrusted data in generated output with print, at line 68 of /src/main/webapp/admin/adminlogin.jsp. This untrusted dat... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/vulnerability/Injection/xpath_login.jsp: 9	details The method xpath_login embeds untrusted data in generated output with print, at line 9 of /src/main/webapp/vulnerability/Injection/xpath_login.jsp.... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/vulnerability/SendMessage.jsp: 11	details The method SendMessage embeds untrusted data in generated output with print, at line 11 of /src/main/webapp/vulnerability/SendMessage.jsp. This unt... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/vulnerability/SendMessage.jsp: 18	details The method SendMessage embeds untrusted data in generated output with print, at line 18 of /src/main/webapp/vulnerability/SendMessage.jsp. This unt... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/login.jsp: 26	details The method login embeds untrusted data in generated output with print, at line 26 of /src/main/webapp/login.jsp. This untrusted data is embedded in... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/vulnerability/xss/xss4.jsp: 2	details The method xss4 embeds untrusted data in generated output with keyword, at line 15 of /src/main/webapp/vulnerability/xss/xss4.jsp. This untrusted d... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/vulnerability/xss/xss4.jsp: 2	details The method xss4 embeds untrusted data in generated output with print, at line 6 of /src/main/webapp/vulnerability/xss/xss4.jsp. This untrusted data... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/vulnerability/xss/search.jsp: 16	details The method search embeds untrusted data in generated output with searchedName, at line 21 of /src/main/webapp/vulnerability/xss/search.jsp. This un... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/vulnerability/UserDetails.jsp: 8	details The method UserDetails embeds untrusted data in generated output with print, at line 23 of /src/main/webapp/vulnerability/UserDetails.jsp. This unt... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/login.jsp: 7	details The method login embeds untrusted data in generated output with username, at line 22 of /src/main/webapp/login.jsp. This untrusted data is embedded... Attack Vector
Reflected_XSS_All_Clients	/src/main/webapp/login.jsp: 7	details The method login embeds untrusted data in generated output with password, at line 23 of /src/main/webapp/login.jsp. This untrusted data is embedded... Attack Vector
Reflected_XSS_All_Clients	/src/main/java/org/cysecurity/cspf/jvl/controller/xxe.java: 44	details The method processRequest embeds untrusted data in generated output with print, at line 54 of /src/main/java/org/cysecurity/cspf/jvl/controller/xxe... Attack Vector
Reflected_XSS_All_Clients	/src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java: 39	details The method processRequest embeds untrusted data in generated output with print, at line 55 of /src/main/java/org/cysecurity/cspf/jvl/controller/Add... Attack Vector
Unsafe_Reflection	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 55	details The input obtained by processRequest in /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java at line 55 affects the invocation of a refle... Attack Vector
XPath_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/XPathQuery.java: 36	details The application's processRequest method constructs an XPath query, for navigating an XML document. The XPath query is created with compile, at line... Attack Vector
XPath_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/XPathQuery.java: 35	details The application's processRequest method constructs an XPath query, for navigating an XML document. The XPath query is created with compile, at line... Attack Vector
CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43	details Method processRequest at line 43 of /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java gets a parameter from a user request from... Attack Vector
CSRF	/src/main/webapp/admin/adminlogin.jsp: 12	details Method adminlogin at line 12 of /src/main/webapp/admin/adminlogin.jsp gets a parameter from a user request from ""password"". This parameter value ... Attack Vector
CSRF	/src/main/webapp/admin/adminlogin.jsp: 12	details Method adminlogin at line 12 of /src/main/webapp/admin/adminlogin.jsp gets a parameter from a user request from ""password"". This parameter value ... Attack Vector
CSRF	/src/main/webapp/admin/adminlogin.jsp: 11	details Method adminlogin at line 11 of /src/main/webapp/admin/adminlogin.jsp gets a parameter from a user request from ""username"". This parameter value ... Attack Vector
CVE-2021-20220	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2024-12798	Maven-ch.qos.logback:logback-core-1.5.12	Vulnerable Package
CVE-2024-12798	Maven-ch.qos.logback:logback-classic-1.5.12	Vulnerable Package
HttpOnlyCookies	/src/main/webapp/admin/adminlogin.jsp: 37	details The web application's adminlogin method creates a cookie privilege, at line 37 of /src/main/webapp/admin/adminlogin.jsp, and returns it in the resp... Attack Vector
HttpOnlyCookies	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 59	details The web application's processRequest method creates a cookie privilege, at line 59 of /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValida... Attack Vector
HttpOnlyCookies	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 63	details The web application's processRequest method creates a cookie username, at line 63 of /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidat... Attack Vector
HttpOnlyCookies	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 64	details The web application's processRequest method creates a cookie password, at line 64 of /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidat... Attack Vector
Parameter_Tampering	/src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java: 44	details Method processRequest at line 44 of /src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java gets user input from element ""email"". This ... Attack Vector
Parameter_Tampering	/src/main/java/org/cysecurity/cspf/jvl/controller/UsernameCheck.java: 43	details Method processRequest at line 43 of /src/main/java/org/cysecurity/cspf/jvl/controller/UsernameCheck.java gets user input from element ""username"".... Attack Vector
Parameter_Tampering	/src/main/webapp/vulnerability/DisplayMessage.jsp: 16	details Method DisplayMessage at line 16 of /src/main/webapp/vulnerability/DisplayMessage.jsp gets user input from element ""msgid"". This input is later c... Attack Vector
Parameter_Tampering	/src/main/webapp/vulnerability/idor/change-email.jsp: 28	details Method changeemail at line 28 of /src/main/webapp/vulnerability/idor/change-email.jsp gets user input from element ""id"". This input is later conc... Attack Vector
Parameter_Tampering	/src/main/webapp/admin/manageusers.jsp: 13	details Method manageusers at line 13 of /src/main/webapp/admin/manageusers.jsp gets user input from element ""user"". This input is later concatenated by ... Attack Vector
Parameter_Tampering	/src/main/webapp/vulnerability/forumposts.jsp: 9	details Method forumposts at line 9 of /src/main/webapp/vulnerability/forumposts.jsp gets user input from element ""postid"". This input is later concatena... Attack Vector
Plaintext_Storage_of_a_Password	/src/main/java/org/cysecurity/cspf/jvl/model/DBConnect.java: 26	Attack Vector
Relative_Path_Traversal	/src/main/java/org/cysecurity/cspf/jvl/controller/ForwardMe.java: 39	details Method processRequest at line 39 of /src/main/java/org/cysecurity/cspf/jvl/controller/ForwardMe.java gets dynamic data from the ""location"" elemen... Attack Vector

More results are available on the CxOne platform

Fixed Issues (39)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2017-18640	Maven-org.yaml:snakeyaml-1.19
	CVE-2018-1272	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2021-31684	Maven-net.minidev:json-smart-2.3
	CVE-2022-1471	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-22965	Maven-org.springframework:spring-beans-5.0.4.RELEASE
	CVE-2022-25857	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-27772	Maven-org.springframework.boot:spring-boot-2.0.0.RELEASE
	CVE-2023-1370	Maven-net.minidev:json-smart-2.3
	CVE-2023-20883	Maven-org.springframework.boot:spring-boot-autoconfigure-2.0.0.RELEASE
	CVE-2023-6378	Maven-ch.qos.logback:logback-core-1.2.3
	CVE-2023-6378	Maven-ch.qos.logback:logback-classic-1.2.3
	CVE-2023-6481	Maven-ch.qos.logback:logback-core-1.2.3
	Client_DOM_Stored_XSS	/src/main/webapp/vulnerability/Injection/xxe.jsp: 15
	Client_DOM_Stored_XSS	/src/main/webapp/vulnerability/Injection/xxe.jsp: 15
	Client_DOM_Stored_XSS	/src/main/webapp/vulnerability/Injection/xxe.jsp: 15
	CVE-2018-1257	Maven-org.springframework:spring-test-5.0.4.RELEASE
	CVE-2021-22060	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2021-22096	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2021-27568	Maven-net.minidev:json-smart-2.3
	CVE-2021-42550	Maven-ch.qos.logback:logback-core-1.2.3
	CVE-2021-42550	Maven-ch.qos.logback:logback-classic-1.2.3
	CVE-2022-22950	Maven-org.springframework:spring-expression-5.0.4.RELEASE
	CVE-2022-22950	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2022-22968	Maven-org.springframework:spring-context-5.0.4.RELEASE
	CVE-2022-22970	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2022-22970	Maven-org.springframework:spring-beans-5.0.4.RELEASE
	CVE-2022-22971	Maven-org.springframework:spring-core-5.0.4.RELEASE
	CVE-2022-38749	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-38750	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-38751	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-38752	Maven-org.yaml:snakeyaml-1.19
	CVE-2022-41854	Maven-org.yaml:snakeyaml-1.19
	CVE-2023-20861	Maven-org.springframework:spring-expression-5.0.4.RELEASE
	CVE-2023-20863	Maven-org.springframework:spring-expression-5.0.4.RELEASE
	CVE-2023-34055	Maven-org.springframework.boot:spring-boot-2.0.0.RELEASE
	CVE-2023-51074	Maven-com.jayway.jsonpath:json-path-2.4.0
	S3 Bucket Without Enabled MFA Delete	/s3_with_all_permissions.tf: 1
	S3 Bucket Without Enabled MFA Delete	/Unsecure_Storage_of_Encryption_Key.tf: 1
	S3 Bucket Without Enabled MFA Delete	/s3.tf: 1

fix: pom.xml to reduce vulnerabilities

2d2b429

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-8539866 - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-8539867 - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-8539865

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

[Snyk] Security upgrade org.springframework.boot:spring-boot-starter-test from 2.0.0.RELEASE to 3.3.7#43

[Snyk] Security upgrade org.springframework.boot:spring-boot-starter-test from 2.0.0.RELEASE to 3.3.7#43
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-a75c3828f1d254bfe55488186a1919c1

weinrich15 commented Jan 26, 2025

Uh oh!

weinrich15 commented Jan 26, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Comments

Conversation

weinrich15 commented Jan 26, 2025

Snyk has created this PR to fix 3 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

Vulnerabilities that will be fixed with an upgrade:

Uh oh!

weinrich15 commented Jan 26, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants