spring-boot-starter-web-3.3.5.jar: 2 vulnerabilities (highest severity is: 9.8) reachable #7
Description
Vulnerable Library - spring-boot-starter-web-3.3.5.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.31/tomcat-embed-core-10.1.31.jar
Vulnerabilities
| CVE | Severity | Dependency | Type | Fixed in (spring-boot-starter-web version) | Remediation Possible** | Reachability | |
|---|---|---|---|---|---|---|---|
| CVE-2024-56337 | 9.8 | tomcat-embed-core-10.1.31.jar | Transitive | 3.3.7 | ✅ |
|
|
| CVE-2024-50379 | 9.8 | tomcat-embed-core-10.1.31.jar | Transitive | 3.3.7 | ✅ |
|
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-56337
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.31/tomcat-embed-core-10.1.31.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
- spring-boot-starter-tomcat-3.3.5.jar
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
org.owasp.webgoat.lessons.csrf.CSRFFeedback (Application)
-> org.apache.catalina.filters.RemoteIpFilter$XForwardedRequest (Extension)
-> org.apache.catalina.core.ApplicationContext (Extension)
-> ❌ org.apache.catalina.loader.WebappLoader (Vulnerable Component)
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:
- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
Publish Date: 2024-12-20
URL: CVE-2024-56337
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-20
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-50379
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/10.1.31/tomcat-embed-core-10.1.31.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
- spring-boot-starter-tomcat-3.3.5.jar
Found in base branch: main
Reachability Analysis
This vulnerability is potentially reachable
org.owasp.webgoat.lessons.csrf.CSRFFeedback (Application)
-> org.springframework.web.context.support.ContextExposingHttpServletRequest (Extension)
-> org.springframework.web.context.WebApplicationContext (Extension)
-> jakarta.servlet.ServletContext (Extension)
-> jakarta.servlet.Servlet (Extension)
-> org.apache.catalina.servlets.WebdavServlet (Extension)
-> ❌ org.apache.catalina.webresources.FileResource (Vulnerable Component)
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Mend Note: The fix for CVE-2024-50379 was found to be incomplete - users should refer to the follow-up CVE-2024-56337 which fully addresses the issue.
Publish Date: 2024-12-17
URL: CVE-2024-50379
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.