You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar
When performing XSLT transformations XMLUnit for Java before 2.10.0 did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.7.0/f9d7d9659f2694e61142046ff8a216c047f263e8/json-path-2.7.0.jar
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/2.7.10/514bec7b4e424199325b4f3c8949b9e2b5f6f16c/spring-boot-autoconfigure-2.7.10.jar
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
mend-for-github-combot
changed the title
spring-boot-starter-test-2.7.10.jar: 1 vulnerabilities (highest severity is: 5.5)
spring-boot-starter-test-2.7.10.jar: 1 vulnerabilities (highest severity is: 7.5)
Jan 4, 2024
mend-for-github-combot
changed the title
spring-boot-starter-test-2.7.10.jar: 1 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-test-2.7.10.jar: 3 vulnerabilities (highest severity is: 7.5)
Mar 3, 2024
mend-for-github-combot
changed the title
spring-boot-starter-test-2.7.10.jar: 3 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-test-2.7.10.jar: 4 vulnerabilities (highest severity is: 7.5)
May 7, 2024
mend-for-github-combot
changed the title
spring-boot-starter-test-2.7.10.jar: 4 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-test-2.7.10.jar: 3 vulnerabilities (highest severity is: 7.5)
Nov 5, 2024
mend-for-github-combot
changed the title
spring-boot-starter-test-2.7.10.jar: 3 vulnerabilities (highest severity is: 7.5)
spring-boot-starter-test-2.7.10.jar: 3 vulnerabilities (highest severity is: 7.5) reachable
Dec 17, 2024
Vulnerable Library - spring-boot-starter-test-2.7.10.jar
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar
Vulnerabilities
Reachable
Reachable
Unreachable
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-31573
Vulnerable Library - xmlunit-core-2.9.1.jar
XMLUnit for Java
Library home page: https://www.xmlunit.org/
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
When performing XSLT transformations XMLUnit for Java before 2.10.0 did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.
Publish Date: 2024-12-05
URL: CVE-2024-31573
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-chfm-68vv-pvw5
Release Date: 2024-12-05
Fix Resolution: org.xmlunit:xmlunit-core:2.10.0
CVE-2023-51074
Vulnerable Library - json-path-2.7.0.jar
Java port of Stefan Goessner JsonPath.
Library home page: https://github.com/
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.7.0/f9d7d9659f2694e61142046ff8a216c047f263e8/json-path-2.7.0.jar
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
This vulnerability is potentially reachable
Vulnerability Details
json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.
Publish Date: 2023-12-27
URL: CVE-2023-51074
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-51074
Release Date: 2023-12-27
Fix Resolution (com.jayway.jsonpath:json-path): 2.9.0
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 3.1.9
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-20883
Vulnerable Library - spring-boot-autoconfigure-2.7.10.jar
Spring Boot AutoConfigure
Library home page: https://spring.io
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot-autoconfigure/2.7.10/514bec7b4e424199325b4f3c8949b9e2b5f6f16c/spring-boot-autoconfigure-2.7.10.jar
Dependency Hierarchy:
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
Publish Date: 2023-05-26
URL: CVE-2023-20883
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20883
Release Date: 2023-05-26
Fix Resolution (org.springframework.boot:spring-boot-autoconfigure): 2.7.12
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.7.12
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: