Skip to content

Comments

[Snyk] Security upgrade org.springframework.boot:spring-boot-starter-test from 2.0.0.RELEASE to 3.4.10#48

Open
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-beccd12b3a78d47c5e95df76c2ed3831
Open

[Snyk] Security upgrade org.springframework.boot:spring-boot-starter-test from 2.0.0.RELEASE to 3.4.10#48
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-beccd12b3a78d47c5e95df76c2ed3831

Conversation

@weinrich15
Copy link
Collaborator

@weinrich15 weinrich15 commented Sep 21, 2025

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Incorrect Authorization
SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817		   721   org.springframework.boot:spring-boot-starter-test:
2.0.0.RELEASE -> 3.4.10
Major version upgrade No Known Exploit

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Incorrect Authorization

@weinrich15
Copy link
Collaborator Author

weinrich15 commented Sep 21, 2025

Logo
Checkmarx One – Scan Summary & Details6ca69d22-a00d-4cca-86ae-05f135c49f8c

New Issues (15)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL S3 Bucket Allows Delete Action From All Principals /s3_with_all_permissions.tf: 5
detailsS3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized...
ID: j6z7Nppuf3vonyn6ZDSKClAqRBE%3D
HIGH CVE-2019-14888 Maven-io.undertow:undertow-core-2.0.9.Final
detailsRecommended version: 2.0.28.SP1-redhat-00002
Description: A vulnerability was found in the Undertow HTTP server in versions through 2.0.28.SP1-redhat-00001, version 2.0.28.Final-redhat-00001, and version 2...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: W97SD7io2qxY3uzv%2F9vLIaNr%2FcfX39R0mdGabehNFOE%3D
Vulnerable Package
HIGH CVE-2023-1973 Maven-io.undertow:undertow-core-2.0.9.Final
detailsRecommended version: 2.2.30.SP1-redhat-00001
Description: A flaw was found in Undertow package. Using the "FormAuthenticationMechanism", a malicious user could trigger a Denial of Service by sending crafte...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: SxyRs24%2FdQRrAKazdR5YGCr%2FbFbirsF8JUDEW8E3XFc%3D
Vulnerable Package
HIGH CVE-2023-22102 Maven-mysql:mysql-connector-java-5.1.26
detailsDescription: Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). The affected versions are through 8.1.0. The difficult-to-e...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: SBhOQmNpX7k6wCnTc2a2INM9nx8VmgAL6zukIXYadlE%3D
Vulnerable Package
HIGH CVE-2023-3223 Maven-io.undertow:undertow-core-2.0.9.Final
detailsRecommended version: 2.2.25.SP3-redhat-00001
Description: A flaw was found in undertow versions through 2.2.26.Final, and 2.3.0.Alpha1 through 2.3.8.Final. Servlets annotated with '@MultipartConfig' may ca...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: i8HohkjWDtLNNJYv7YlRk4b8evhhW1hjMEKeHepVweo%3D
Vulnerable Package
HIGH CVE-2023-4639 Maven-io.undertow:undertow-core-2.0.9.Final
detailsRecommended version: 2.2.30.Final
Description: A flaw was found in Undertow, which incorrectly parses cookies with certain value-delimiting characters in incoming requests. This issue could allo...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: 83EBR9HlWnnsbRaSbXr1wuWP%2BB8ZPs2FRLehUmFmG0k%3D
Vulnerable Package
HIGH CVE-2024-1635 Maven-io.undertow:undertow-core-2.0.9.Final
detailsRecommended version: 2.0.28.SP1-redhat-00002
Description: A vulnerability was found in Undertow. This vulnerability impacts a server that supports the wildfly-http-client protocol. Whenever a malicious use...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: CfUPaBhmcSbJPSrwOkYo9aD1KtAYbM1QTHI9aP0PlnI%3D
Vulnerable Package
HIGH CVE-2024-38286 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.108
Description: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat versions 9.0.13 through 9.0.8...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: rNyzTevd3h4%2Bji9A5KPL%2Bs%2Bl9mZfJFhrPBa8xpC1x38%3D
Vulnerable Package
HIGH CVE-2024-7885 Maven-io.undertow:undertow-core-2.0.9.Final
detailsRecommended version: 2.2.33.SP1-redhat-00002
Description: A vulnerability was found in Undertow where the "ProxyProtocolReadListener" reuses the same "StringBuilder" instance across multiple requests. This...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: fWOBn9cKYZiXdCVlYJA4zgND3WYHLlsQboeIwRwXRJc%3D
Vulnerable Package
HIGH CVE-2025-48989 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.108
Description: Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: RStnic4WZlv%2FqflbeXxQa7f7mPMD73gsv2ZmrecNgyU%3D
Vulnerable Package
HIGH CVE-2025-52434 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.108
Description: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Nativ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: H10nHpcAKd9D3SBoiPUsfvmX7nlnICqJmZPcp%2BIjihE%3D
Vulnerable Package
HIGH CVE-2025-53506 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.108
Description: Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces th...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: ED8iLmJvyT3i62%2F2umnh%2BmZFq%2FXiPgeeVEXImhPlH1U%3D
Vulnerable Package
HIGH CVE-2025-9784 Maven-io.undertow:undertow-core-2.0.9.Final
detailsDescription: A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, r...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: wE8sjCw3pC4CF0vOUqpxV4nME5q5SgOZivmQm3Aot4o%3D
Vulnerable Package
MEDIUM CVE-2021-20220 Maven-io.undertow:undertow-core-2.0.9.Final
detailsRecommended version: 2.0.34.Final
Description: A flaw was found in Undertow. A regression in the fix for CVE-2020-10687 was found. HTTP request smuggling related to CVE-2017-2666 is possible aga...
Attack Vector: NETWORK
Attack Complexity: HIGH
Exploitable Path: parse@.../jvl/controller/AddPageVuln.java - ... - verifyToken@...tow/server/Connectors.java

ID: Gd9w9CeEHjniwMAwT9Bj05jugqqklhBNL%2BdUvaX6Kh4%3D
Vulnerable Package
MEDIUM Use_of_Broken_or_Risky_Cryptographic_Algorithm /src/main/java/org/cysecurity/cspf/jvl/model/HashMe.java: 16
detailsIn hashMe, the application protects sensitive data using a cryptographic algorithm, getInstance, that is considered weak or even trivially broken, ...
ID: ec8wJf6qRwmkCZRXmWqlze7dIcc%3D
Attack Vector
Fixed Issues (152)

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
HIGH CVE-2016-10707 Npm-jquery-1.6.4
HIGH CVE-2017-18640 Maven-org.yaml:snakeyaml-1.19
HIGH CVE-2018-1272 Maven-org.springframework:spring-core-5.0.4.RELEASE
HIGH CVE-2021-31684 Maven-net.minidev:json-smart-2.3
HIGH CVE-2022-1471 Maven-org.yaml:snakeyaml-1.19
HIGH CVE-2022-22965 Maven-org.springframework:spring-beans-5.0.4.RELEASE
HIGH CVE-2022-25857 Maven-org.yaml:snakeyaml-1.19
HIGH CVE-2022-27772 Maven-org.springframework.boot:spring-boot-2.0.0.RELEASE
HIGH CVE-2023-1370 Maven-net.minidev:json-smart-2.3
HIGH CVE-2023-20883 Maven-org.springframework.boot:spring-boot-autoconfigure-2.0.0.RELEASE
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-core-1.2.3
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-classic-1.2.3
HIGH CVE-2023-6481 Maven-ch.qos.logback:logback-core-1.2.3
HIGH CVE-2024-31573 Maven-org.xmlunit:xmlunit-core-2.5.1
HIGH Client_DOM_Stored_XSS /src/main/webapp/vulnerability/Injection/xxe.jsp: 12
HIGH Client_DOM_Stored_XSS /src/main/webapp/vulnerability/Injection/xxe.jsp: 15
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
MEDIUM CSRF /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57

More results are available on the CxOne platform

Policy Management Violations (1)
Policy Name: GPL No license The following violations of your team's AppSec policy rules were identified in this project. Since 'Break Build' is enabled for these rules, you must resolve these issues before the Pull Request can be merged. This is the default policy that applies to all projects in your account.

  • Rule Name: DemoRule
    Scanner: SCA

  • Rule Name: AGPL
    Scanner: SCA

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weinrich15 @snyk-bot