[Snyk] Security upgrade org.apache.tomcat:tomcat-coyote from 9.0.22 to 9.0.44 by tyleragypt · Pull Request #140 · tyleragypt/JavaVulnerableLab

tyleragypt · 2024-01-22T14:38:41Z

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Upgrade	Breaking Change	Exploit Maturity	Reachability
	465/1000 Why? Recently disclosed, Has a fix available, CVSS 5.3	Information Exposure SNYK-JAVA-ORGAPACHETOMCAT-6183063	`org.apache.tomcat:tomcat-coyote:` `9.0.22 -> 9.0.44`	No	No Known Exploit	No Path Found

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Information Exposure

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-6183063

tyleragypt · 2024-01-22T14:41:14Z

Checkmarx One – Scan Summary & Details – 19033072-cd14-48f2-a8fe-e15c15ee065b

Policy Management Violations

Policy Name	Rule(s)	Break Build
No highs or mediums	level 3 strict	false

New Issues

Issue	Source File / Package	Checkmarx Insight
ALB Listening on HTTP	/infrostructure.tf: 21	AWS Application Load Balancer (alb) should not listen on HTTP
CVE-2015-4852	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2015-6420	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2015-7501	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2016-10707	Npm-jquery-1.6.4	Vulnerable Package
CVE-2016-2170	Maven-commons-collections:commons-collections-3.2.1	Vulnerable Package
CVE-2020-27782	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2022-0084	Maven-org.jboss.xnio:xnio-api-3.3.8.Final	Vulnerable Package
CVE-2022-1319	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2022-2053	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2022-42252	Maven-org.apache.tomcat:tomcat-coyote-9.0.44	Vulnerable Package
CVE-2022-4492	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2022-45688	Maven-org.json:json-20131018	Vulnerable Package
CVE-2022-45689	Maven-org.json:json-20131018	Vulnerable Package
CVE-2022-45690	Maven-org.json:json-20131018	Vulnerable Package
CVE-2023-1108	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2023-24998	Maven-org.apache.tomcat:tomcat-coyote-9.0.44	Vulnerable Package
CVE-2023-5072	Maven-org.json:json-20131018	Vulnerable Package
CVE-2007-2379	Npm-jquery-1.6.4	Vulnerable Package
CVE-2012-6708	Npm-jquery-1.6.4	Vulnerable Package
CVE-2014-6071	Npm-jquery-1.6.4	Vulnerable Package
CVE-2015-9251	Npm-jquery-1.6.4	Vulnerable Package
CVE-2019-11358	Npm-jquery-1.6.4	Vulnerable Package
CVE-2020-11022	Npm-jquery-1.6.4	Vulnerable Package
CVE-2020-11023	Npm-jquery-1.6.4	Vulnerable Package
CVE-2020-7656	Npm-jquery-1.6.4	Vulnerable Package
CVE-2022-2764	Maven-io.undertow:undertow-core-2.0.9.Final	Vulnerable Package
CVE-2023-42795	Maven-org.apache.tomcat:tomcat-util-9.0.44	Vulnerable Package
CVE-2023-42795	Maven-org.apache.tomcat:tomcat-coyote-9.0.44	Vulnerable Package
CVE-2023-45648	Maven-org.apache.tomcat:tomcat-coyote-9.0.44	Vulnerable Package
Cxf0b588a3-5c6f	Npm-jquery-1.6.4	Vulnerable Package
Unpinned Actions Full Length Commit SHA	/cx.yml: 13	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
CVE-2021-43980	Maven-org.apache.tomcat:tomcat-coyote-9.0.44	Vulnerable Package
Lambda Functions Without X-Ray Tracing	/lambda.tf: 12	AWS Lambda functions should have TracingConfig enabled. For this, property 'tracing_Config.mode' should have the value 'Active'

Fixed Issues

Severity	Issue	Source File / Package
	ALB Listening on HTTP	/infrostructure.tf: 21
	ALB Listening on HTTP	/infrostructure.tf: 27
	CVE-2020-11996	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2020-13934	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2020-17527	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2020-1938	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2021-25122	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	CVE-2021-41079	Maven-org.apache.tomcat:tomcat-coyote-9.0.22
	Cx6a5f7948-7054	Maven-commons-collections:commons-collections-3.2.1
	S3 Bucket Allows All Actions From All Principals	/s3_with_all_permissions.tf: 5
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	SQL_Injection	/src/main/webapp/vulnerability/Injection/orm.jsp: 50
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11
	Absolute_Path_Traversal	/src/main/webapp/vulnerability/idor/download.jsp: 11
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 45
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/SendMessage.java: 43
	CSRF	/src/main/webapp/changeCardDetails.jsp: 37
	CSRF	/src/main/webapp/vulnerability/csrf/changepassword.jsp: 33
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 60
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 46
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/SendMessage.java: 44
	CSRF	/src/main/webapp/changeCardDetails.jsp: 38
	CSRF	/src/main/webapp/vulnerability/forum.jsp: 41
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 47
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/SendMessage.java: 45
	CSRF	/src/main/webapp/vulnerability/idor/change-email.jsp: 27
	CSRF	/src/main/webapp/changeCardDetails.jsp: 39
	CSRF	/src/main/webapp/admin/manageusers.jsp: 13
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 61
	CSRF	/src/main/webapp/vulnerability/forum.jsp: 42
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 43
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 43
	CSRF	/src/main/webapp/vulnerability/idor/change-email.jsp: 28
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 12
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 12
	CSRF	/src/main/webapp/vulnerability/csrf/change-info.jsp: 26
	CSRF	/src/main/webapp/vulnerability/forum.jsp: 43
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 44
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/SendMessage.java: 42
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 11
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 11
	CSRF	/src/main/webapp/admin/adminlogin.jsp: 11
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 54
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 56
	CSRF

More results are available on AST platform

fix: pom.xml to reduce vulnerabilities

b9270ce

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-6183063

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Security upgrade org.apache.tomcat:tomcat-coyote from 9.0.22 to 9.0.44#140

[Snyk] Security upgrade org.apache.tomcat:tomcat-coyote from 9.0.22 to 9.0.44#140
tyleragypt wants to merge 1 commit intomasterfrom
snyk-fix-4aed92d142bb10a6b2abd711f8f3dbaa

tyleragypt commented Jan 22, 2024

Uh oh!

tyleragypt commented Jan 22, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

tyleragypt commented Jan 22, 2024

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Vulnerabilities that will be fixed

With an upgrade:

Uh oh!

tyleragypt commented Jan 22, 2024

Policy Management Violations

New Issues

Fixed Issues

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants