Skip to content

Comments

[Snyk] Fix for 2 vulnerabilities#49

Open
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-959f8b2c39a4343aa5e1adcfe0666e04
Open

[Snyk] Fix for 2 vulnerabilities#49
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-959f8b2c39a4343aa5e1adcfe0666e04

Conversation

@weinrich15
Copy link
Collaborator

@weinrich15 weinrich15 commented Oct 26, 2025

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Allocation of Resources Without Limits or Throttling (MadeYouReset)
SNYK-JAVA-IOUNDERTOW-12458577		   649   io.undertow:undertow-core:
2.0.9.Final -> 2.3.20.Final
No Known Exploit
medium severity External Initialization of Trusted Variables or Data Stores
SNYK-JAVA-CHQOSLOGBACK-13169722		   509   org.springframework.boot:spring-boot-starter-test:
2.0.0.RELEASE -> 3.4.11
Major version upgrade No Known Exploit

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@weinrich15
Copy link
Collaborator Author

weinrich15 commented Oct 26, 2025

Logo
Checkmarx One – Scan Summary & Detailseb26e821-538a-4658-9630-382c1404078b

New Issues (65)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL S3 Bucket Allows Delete Action From All Principals /s3_with_all_permissions.tf: 5
detailsS3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized...
ID: j6z7Nppuf3vonyn6ZDSKClAqRBE%3D
HIGH CVE-2023-22102 Maven-mysql:mysql-connector-java-5.1.26
detailsDescription: Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). The affected versions are through 8.1.0. The difficult-to-e...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: tUd61%2BDfyVF%2BBTXqR1GOI0Z4aRpNiue9sOkBrM7hHuU%3D
Vulnerable Package
HIGH CVE-2024-38286 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.108
Description: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat versions 9.0.13 through 9.0.8...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: W3SMgO0ek371vMiqKqpEw3gfi4g5PKXlScElIZwuSYg%3D
Vulnerable Package
HIGH CVE-2025-48989 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.108
Description: Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: dFcIC5OwpOQ1J4EKB0nDDJ536GnogYsPcvLtyLaQFn4%3D
Vulnerable Package
HIGH CVE-2025-52434 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.108
Description: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Nativ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: lnO806OleuHzFmqiwGuYXURwmu52s79abVjVmJBb6BY%3D
Vulnerable Package
HIGH CVE-2025-53506 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.108
Description: Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces th...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: WQcFXf6mmx1GBiLBcDZYTWPB88A8iISu%2B4fuUZoAnFA%3D
Vulnerable Package
HIGH Remote Desktop Port Open To Internet /AJP_Open_Port.tf: 6
detailsThe Remote Desktop port is open to the internet in a Security Group
ID: n184d2i0e3AlwvbL%2FJBiRl9dy8w%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: ci%2FrmVz87oBdbVoBWnx%2B0odzhXY%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: VEfFRpRMjj%2FsEt5Cr8AvCrg%2BKgQ%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: 8sjFNQHwpPdSyZrOKlINCwIPy7c%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: ReatByiMlBBN%2FRB7SJibAZ4%2FHVQ%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: V58KhwRv3TmRIN4OFsvWQvkwPtQ%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: 9xpyyKkXXB%2FrZjfqdnbkSC3FECU%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: Ho1WKMVs%2FpEMty%2Bi5j17qjsA9JU%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: OuV1uNkwJurDpbYae7ld2SHPj%2BY%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: bGJpV6Wb%2BTVWqqCRwiBoesm46Hg%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: XKHvGYlUie1KOLRkbhAPbx3RYQE%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: 4hn2t8Pkae3OpZNm7CQ%2Fyr6y5wo%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: hkR%2BDU3C%2FfmgoJtUPRNP45HgA5k%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: RW%2BvMIohdId6RkgndlmPNV60AhU%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: RJTMJZflR3g%2BN5dl0QPDbWo2HD8%3D
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
detailsA sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
ID: rp%2BMtYbW9pkxDZa130o3pnSTLQM%3D

More results are available on the CxOne platform

Fixed Issues (227) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
HIGH CVE-2016-10707 Npm-jquery-1.6.4
HIGH CVE-2017-18640 Maven-org.yaml:snakeyaml-1.19
HIGH CVE-2018-1272 Maven-org.springframework:spring-core-5.0.4.RELEASE
HIGH CVE-2019-10212 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2019-3888 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2020-10705 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2020-1745 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2020-1757 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2020-27782 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2021-31684 Maven-net.minidev:json-smart-2.3
HIGH CVE-2021-3690 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2021-3859 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2022-0084 Maven-org.jboss.xnio:xnio-api-3.3.8.Final
HIGH CVE-2022-1319 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2022-1471 Maven-org.yaml:snakeyaml-1.19
HIGH CVE-2022-2053 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2022-22965 Maven-org.springframework:spring-beans-5.0.4.RELEASE
HIGH CVE-2022-25857 Maven-org.yaml:snakeyaml-1.19
HIGH CVE-2022-27772 Maven-org.springframework.boot:spring-boot-2.0.0.RELEASE
HIGH CVE-2022-4492 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2023-1108 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2023-1370 Maven-net.minidev:json-smart-2.3
HIGH CVE-2023-20883 Maven-org.springframework.boot:spring-boot-autoconfigure-2.0.0.RELEASE
HIGH CVE-2023-5379 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2023-5685 Maven-org.jboss.xnio:xnio-api-3.3.8.Final
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-core-1.2.3
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-classic-1.2.3
HIGH CVE-2023-6481 Maven-ch.qos.logback:logback-core-1.2.3
HIGH CVE-2024-31573 Maven-org.xmlunit:xmlunit-core-2.5.1
HIGH CVE-2024-5971 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH CVE-2024-6162 Maven-io.undertow:undertow-core-2.0.9.Final
HIGH Client_DOM_Stored_XSS /src/main/webapp/vulnerability/Injection/xxe.jsp: 12
HIGH Client_DOM_Stored_XSS /src/main/webapp/vulnerability/Injection/xxe.jsp: 15
HIGH Remote Desktop Port Open To Internet /AJP_Open_Port.tf: 1
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6
HIGH Sensitive Port Is Exposed To Entire Network /AJP_Open_Port.tf: 6

More results are available on the CxOne platform

Policy Management Violations (1)
Policy Name: Global Policy The following violations of your team's AppSec policy rules were identified in this project. Since 'Break Build' is enabled for these rules, you must resolve these issues before the Pull Request can be merged. This is the default policy that applies to all projects in your account.

  • Rule Name: DemoRule
    Scanner: SCA

  • Rule Name: AGPL
    Scanner: SCA

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weinrich15 @snyk-bot