Skip to content

[Snyk] Security upgrade io.undertow:undertow-core from 2.0.9.Final to 2.3.6.Final#137

Open
tyleragypt wants to merge 1 commit intomasterfrom
snyk-fix-8eca3e27a6727b576553ef667a0581de
Open

[Snyk] Security upgrade io.undertow:undertow-core from 2.0.9.Final to 2.3.6.Final#137
tyleragypt wants to merge 1 commit intomasterfrom
snyk-fix-8eca3e27a6727b576553ef667a0581de

Conversation

@tyleragypt
Copy link
Copy Markdown
Owner

@tyleragypt tyleragypt commented May 20, 2023

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity Reachability
medium severity 415/1000
Why? Has a fix available, CVSS 5.3		 Denial of Service (DoS)
SNYK-JAVA-IOUNDERTOW-3358786		 io.undertow:undertow-core:
2.0.9.Final -> 2.3.6.Final
No No Known Exploit No Path Found

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)

@snyk-bot
fix: pom.xml to reduce vulnerabilities
8c2933b 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-3358786
@tyleragypt
Copy link
Copy Markdown
Owner Author

tyleragypt commented May 20, 2023

Logo
Checkmarx One – Scan Summary & Detailse21c8054-3cd0-40ec-a4c0-cedb79bbde29

New Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH ALB Listening on HTTP /infrostructure.tf: 21 AWS Application Load Balancer (alb) should not listen on HTTP
HIGH CVE-2015-4852 Maven-commons-collections:commons-collections-3.2.1 Vulnerable Package
HIGH CVE-2015-7501 Maven-commons-collections:commons-collections-3.2.1 Vulnerable Package
HIGH CVE-2022-42252 Maven-org.apache.tomcat:tomcat-coyote-9.0.22 Vulnerable Package
HIGH CVE-2022-45688 Maven-org.json:json-20131018 Vulnerable Package
HIGH CVE-2022-45689 Maven-org.json:json-20131018 Vulnerable Package
HIGH CVE-2022-45690 Maven-org.json:json-20131018 Vulnerable Package
LOW CVE-2021-43980 Maven-org.apache.tomcat:tomcat-coyote-9.0.22 Vulnerable Package
LOW Heap_Inspection /src/main/webapp/vulnerability/Injection/orm.jsp: 31 Attack Vector
LOW Heap_Inspection /src/main/webapp/vulnerability/csrf/changepassword.jsp: 34 Attack Vector
LOW Heap_Inspection /src/main/java/org/cysecurity/cspf/jvl/model/DBConnect.java: 28 Attack Vector
LOW Heap_Inspection /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 33 Attack Vector
LOW Lambda Functions Without X-Ray Tracing /lambda.tf: 12 AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'
LOW Use_Of_Hardcoded_Password_In_Config /src/main/webapp/WEB-INF/config.properties: 6 Attack Vector

Fixed Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH ALB Listening on HTTP /infrostructure.tf: 21 AWS Application Load Balancer (alb) should not listen on HTTP
HIGH ALB Listening on HTTP /infrostructure.tf: 27 AWS Application Load Balancer (alb) should not listen on HTTP
HIGH CVE-2019-10212 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
HIGH CVE-2019-3888 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
HIGH CVE-2020-10705 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
HIGH CVE-2020-1745 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
HIGH CVE-2020-1757 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
HIGH CVE-2021-3629 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
HIGH CVE-2021-3690 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
HIGH CVE-2021-3859 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
HIGH S3 Bucket Allows All Actions From All Principals /s3_with_all_permissions.tf: 5 S3 Buckets must not allow All Actions (wildcard) From All Principals, as to prevent leaking private information to the entire internet or allow una...
HIGH SQL_Injection /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44 Attack Vector
HIGH SQL_Injection /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44 Attack Vector
HIGH SQL_Injection /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44 Attack Vector
HIGH SQL_Injection /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44 Attack Vector
HIGH SQL_Injection /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43 Attack Vector
HIGH SQL_Injection /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43 Attack Vector
HIGH SQL_Injection /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43 Attack Vector
HIGH SQL_Injection /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43 Attack Vector
HIGH SQL_Injection /src/main/webapp/vulnerability/Injection/orm.jsp: 50 Attack Vector
HIGH SQL_Injection /src/main/webapp/admin/adminlogin.jsp: 11 Attack Vector
HIGH SQL_Injection /src/main/webapp/admin/adminlogin.jsp: 11 Attack Vector
HIGH SQL_Injection /src/main/webapp/admin/adminlogin.jsp: 11 Attack Vector
HIGH SQL_Injection /src/main/webapp/admin/adminlogin.jsp: 11 Attack Vector
MEDIUM CVE-2020-10687 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
MEDIUM CVE-2020-10719 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
MEDIUM CVE-2020-14340 Maven-org.jboss.xnio:xnio-nio-3.3.8.Final Vulnerable Package
MEDIUM CVE-2021-3597 Maven-io.undertow:undertow-core-2.0.9.Final Vulnerable Package
MEDIUM Privacy_Violation /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 64 Attack Vector
LOW EC2 Instance Using API Keys /infrostructure.tf: 34 EC2 instances should use roles to be granted access to other AWS services
LOW Lambda Functions Without X-Ray Tracing /lambda.tf: 12 AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tyleragypt @snyk-bot