[Snyk] Security upgrade org.apache.tomcat:tomcat-coyote from 9.0.22 to 9.0.86 by weinrich15 · Pull Request #30 · LegitAJ/JavaVulnerableLab

weinrich15 · 2024-03-15T00:31:22Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Upgrade	Breaking Change	Exploit Maturity
	661/1000 Why? Recently disclosed, Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JAVA-ORGAPACHETOMCAT-6435949	`org.apache.tomcat:tomcat-coyote:` `9.0.22 -> 9.0.86`	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-6435949

weinrich15 · 2024-03-15T00:33:48Z

Checkmarx One – Scan Summary & Details – 91fc7436-c6cd-4f6a-8df3-3267bab98c46

New Issues

Issue	Source File / Package	Checkmarx Insight
CVE-2015-4852	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2015-6420	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2015-7501	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2016-10707	Npm-jquery-1.6.4	Vulnerable Package
CVE-2016-2170	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2022-4492	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2022-45688	Maven-org.json:json-20131018	Vulnerable Package
CVE-2023-1108	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2023-1370	Maven-net.minidev:json-smart-2.3	Vulnerable Package
CVE-2023-20883	Maven-org.springframework.boot:spring-boot-autoconfigure-2.0.0.RELEASE	Vulnerable Package
CVE-2023-5072	Maven-org.json:json-20131018	Vulnerable Package
CVE-2023-5379	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2023-6378	Maven-ch.qos.logback:logback-classic-1.2.3	Vulnerable Package
CVE-2023-6378	Maven-ch.qos.logback:logback-core-1.2.3	Vulnerable Package
CVE-2007-2379	Npm-jquery-1.6.4	Vulnerable Package
CVE-2012-6708	Npm-jquery-1.6.4	Vulnerable Package
CVE-2014-6071	Npm-jquery-1.6.4	Vulnerable Package
CVE-2015-9251	Npm-jquery-1.6.4	Vulnerable Package
CVE-2018-1257	Maven-org.springframework:spring-test-5.0.4.RELEASE	Vulnerable Package
CVE-2019-11358	Npm-jquery-1.6.4	Vulnerable Package
CVE-2020-11022	Npm-jquery-1.6.4	Vulnerable Package
CVE-2020-11023	Npm-jquery-1.6.4	Vulnerable Package
CVE-2020-15250	Maven-junit:junit-4.12	Vulnerable Package
CVE-2020-7656	Npm-jquery-1.6.4	Vulnerable Package
CVE-2023-20861	Maven-org.springframework:spring-expression-5.0.4.RELEASE	Vulnerable Package
CVE-2023-20863	Maven-org.springframework:spring-expression-5.0.4.RELEASE	Vulnerable Package
CVE-2023-34055	Maven-org.springframework.boot:spring-boot-2.0.0.RELEASE	Vulnerable Package
CVE-2023-51074	Maven-com.jayway.jsonpath:json-path-2.4.0	Vulnerable Package
CVE-2024-1459	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
Cxf0b588a3-5c6f	Npm-jquery-1.6.4	Vulnerable Package
RDS With Backup Disabled	/rds.tf: 1	Make sure the AWS RDS configuration has automatic backup configured. If the retention period is equal to 0 there is no backup
Unpinned Actions Full Length Commit SHA	/cx.yml: 13	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Heap_Inspection	/src/main/webapp/vulnerability/csrf/changepassword.jsp: 34	Attack Vector
Heap_Inspection	/src/main/webapp/vulnerability/Injection/orm.jsp: 31	Attack Vector
Heap_Inspection	/src/main/java/org/cysecurity/cspf/jvl/model/DBConnect.java: 28	Attack Vector
Heap_Inspection	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 33	Attack Vector
Use_Of_Hardcoded_Password	/src/main/java/org/cysecurity/cspf/jvl/controller/rds.java: 8	Attack Vector
Use_Of_Hardcoded_Password_In_Config	/src/main/webapp/WEB-INF/config.properties: 6	Attack Vector

Fixed Issues

Severity	Issue	Source File / Package
	CVE-2020-11996	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2020-13934	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2020-17527	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2020-1938	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2021-25122	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2021-30639	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2021-41079	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2022-42252	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	Cx6a5f7948-7054	Maven-commons-collections:commons-collections-3.2.1
	Passwords And Secrets - Generic Password	/docker-compose.yml: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 12
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 12
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 11
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	CVE-2019-17569	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2020-13943	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2020-1935	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2021-33037	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	Cleartext_Submission_of_Sensitive_Information	/src/main/webapp/ForgotPassword.jsp: 44
	External_Control_of_System_or_Config_Setting	/src/main/webapp/vulnerability/baasm/SiteTitle.jsp: 32
	External_Control_of_System_or_Config_Setting	/src/main/webapp/admin/Configure.jsp: 21
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 55
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 57
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	External_Control_of_System_or_Config_Setting	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 59
	Frameable_Login_Page	/src/main/webapp/login.jsp: 1
	HttpOnlyCookies_In_Config	/src/main/webapp/WEB-INF/web.xml: 0
	Input_Path_Not_Canonicalized	/src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java: 39
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/idor/download.jsp: 11
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/idor/download.jsp: 11
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 29
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 29
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/sqli/download_id.jsp: 29
	Input_Path_Not_Canonicalized	/src/main/webapp/vulnerability/sqli/download_id.jsp: 29
	Stored_Absolute_Path_Traversal	/src/main/webapp/vulnerability/sqli/download_id.jsp: 29
	Stored_Absolute_Path_Traversal	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 29
	CVE-2021-43980	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions	/src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java: 45
	Escape_False	/src/main/webapp/WEB-INF/AdminPanel.jsp: 5
	Escape_False	/src/main/webapp/vulnerability/xss/xss4.jsp: 15
	Escape_False	/src/main/webapp/vulnerability/xss/search.jsp: 21
	Escape_False	/src/main/webapp/vulnerability/unvalidated/OpenURL.jsp: 3
	Escape_False	/src/main/webapp/vulnerability/unvalidated/OpenForward.jsp: 5
	Escape_False	/src/main/webapp/vulnerability/unvalidated/OpenForward.jsp: 4
	Escape_False	/src/main/webapp/vulnerability/unvalidated/OpenForward.jsp: 3
	Escape_False	/src/main/webapp/vulnerability/SendMessage.jsp: 21
	Escape_False	/src/main/webapp/vulnerability/Injection/xxe.jsp: 8
	Escape_False	/src/main/webapp/vulnerability/Injection/xpath_login.jsp: 4
	Escape_False	/src/main/webapp/login.jsp: 23
	Escape_False	/src/main/webapp/login.jsp: 22
	Escape_False	/src/main/webapp/header.jsp: 165
	Escape_False	/src/main/webapp/header.jsp: 157
	Escape_False	/src/main/webapp/header.jsp: 140
	Escape_False	/src/main/webapp/header.jsp: 134
	Escape_False	/src/main/webapp/header.jsp: 132
	Escape_False	/src/main/webapp/header.jsp: 122
	Escape_False	/src/main/webapp/header.jsp: 121
	Escape_False	/src/main/webapp/header.jsp: 116
	Escape_False	/src/main/webapp/header.jsp: 115
	Escape_False	/src/main/webapp/header.jsp: 114
	Escape_False	/src/main/webapp/header.jsp: 113
	Escape_False	/src/main/webapp/header.jsp: 108
	Escape_False	/src/main/webapp/header.jsp: 107
	Escape_False	/src/main/webapp/header.jsp: 106
	Escape_False	/src/main/webapp/header.jsp: 105
	Escape_False	/src/main/webapp/header.jsp: 99
	Escape_False	/src/main/webapp/header.jsp: 98
	Escape_False	/src/main/webapp/header.jsp: 97
	Escape_False	/src/main/webapp/header.jsp: 91
	Escape_False	/src/main/webapp/header.jsp: 89
	Escape_False	/src/main/webapp/header.jsp: 87
	Escape_False	/src/main/webapp/header.jsp: 81
	Escape_False	/src/main/webapp/header.jsp: 79
	Escape_False	/src/main/webapp/header.jsp: 78
	Escape_False	/src/main/webapp/header.jsp: 78
	Escape_False	/src/main/webapp/header.jsp: 72
	Escape_False	/src/main/webapp/header.jsp: 71
	Escape_False	/src/main/webapp/header.jsp: 70
	Escape_False	/src/main/webapp/header.jsp: 69
	Escape_False	/src/main/webapp/header.jsp: 60
	Escape_False	/src/main/webapp/header.jsp: 59
	Escape_False	/src/main/webapp/header.jsp: 59
	Escape_False	/src/main/webapp/header.jsp: 58
	Escape_False	/src/main/webapp/header.jsp: 57
	Escape_False	/src/main/webapp/header.jsp: 50
	Escape_False	/src/main/webapp/header.jsp: 46
	Escape_False	/src/main/webapp/header.jsp: 45
	Escape_False	/src/main/webapp/header.jsp: 40
	Escape_False	/src/main/webapp/header.jsp: 35
	Escape_False	/src/main/webapp/header.jsp: 34
	Escape_False	/src/main/webapp/header.jsp: 33
	Escape_False	/src/main/webapp/header.jsp: 32
	Escape_False	/src/main/webapp/header.jsp: 26
	Escape_False	/src/main/webapp/header.jsp: 17
	Escape_False	/src/main/webapp/header.jsp: 16
	Improper_Resource_Access_Authorization	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 43
	Improper_Resource_Access_Authorization	/src/main/webapp/vulnerability/sqli/download_id.jsp: 43
	Improper_Resource_Access_Authorization	/src/main/webapp/vulnerability/idor/download.jsp: 24
	Improper_Resource_Access_Authorization	/src/main/webapp/vulnerability/baasm/SiteTitle.jsp: 31
	Improper_Resource_Access_Authorization	/src/main/webapp/header.jsp: 9
	Improper_Resource_Access_Authorization	/src/main/webapp/admin/Configure.jsp: 20
	Improper_Resource_Access_Authorization	/src/main/java/org/cysecurity/cspf/jvl/model/DBConnect.java: 26
	Improper_Resource_Access_Authorization	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 65
	Improper_Resource_Access_Authorization

More results are available on AST platform

fix: pom.xml to reduce vulnerabilities

1e0273d

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-6435949

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade org.apache.tomcat:tomcat-coyote from 9.0.22 to 9.0.86#30

[Snyk] Security upgrade org.apache.tomcat:tomcat-coyote from 9.0.22 to 9.0.86#30
weinrich15 wants to merge 1 commit intomasterfrom
snyk-fix-233bda2e85c7deedbcab508bb5b93786

weinrich15 commented Mar 15, 2024

Uh oh!

weinrich15 commented Mar 15, 2024 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

weinrich15 commented Mar 15, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

Uh oh!

weinrich15 commented Mar 15, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

New Issues

Fixed Issues

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

weinrich15 commented Mar 15, 2024 •

edited

Loading