[Snyk] Fix for 2 vulnerabilities by tyleragypt · Pull Request #154 · tyleragypt/JavaVulnerableLab

tyleragypt · 2025-08-14T09:03:18Z

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Memory Allocation with Excessive Size Value SNYK-JAVA-IOUNDERTOW-11520814	650	io.undertow:undertow-core: `2.0.9.Final` -> `2.2.27.Final` `No Path Found` `Proof of Concept`
	Improper Resource Shutdown or Release SNYK-JAVA-ORGAPACHETOMCAT-11799151	635	org.apache.tomcat:tomcat-coyote: `9.0.22` -> `9.0.108` `No Path Found` `No Known Exploit`

Important

Check the changes in this PR to ensure they won't cause issues with your project.
Max score is 1000. Note that the real score may have changed since the PR was raised.
This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-11520814 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-11799151

tyleragypt · 2025-08-14T09:05:39Z

Checkmarx One – Scan Summary & Details – 0b9d90bd-5e6b-45e0-86b4-a0dbb4b4298e

New Issues (146)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2015-2575	Maven-mysql:mysql-connector-java-5.1.26	details Recommended version: 5.1.35 Description: MySQL Connector/J before 5.1.35 is vulnerable to SQL Injection. The function quoteIdentifier() in the file src/com/mysql/jdbc/StringUtils.java does... Attack Vector: NETWORK Attack Complexity: LOW Exploitable Path: [email protected]/SendMessage.java - ... - [email protected]/StringUtils.java `ID: lCIWTsROEFYUlaoZctLJt3BkDlrZSw%2B1LzJzomeNA1I%3D` Vulnerable Package
CVE-2015-4852	Maven-commons-collections:commons-collections-3.2.1	details Recommended version: 3.2.2 Description: The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary comman... Attack Vector: NETWORK Attack Complexity: LOW `ID: p%2Bm%2BS9NjZAIgloXF8KkD2CCZcgG%2BN5yn79WVUxBVW%2Bg%3D` Vulnerable Package
CVE-2015-7501	Maven-commons-collections:commons-collections-3.2.1	details Recommended version: 3.2.2 Description: Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 93SSITiOXNbv%2F9ZLHoVkMvNJRt25imLNcIsYBso8F8A%3D` Vulnerable Package
CVE-2016-2170	Maven-commons-collections:commons-collections-3.2.1	details Recommended version: 3.2.2 Description: Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java... Attack Vector: NETWORK Attack Complexity: LOW `ID: YyFMKW0uoJfJ0NYq1z5tLyYrGMJud67Rgbd8sL2segU%3D` Vulnerable Package
CVE-2020-10683	Maven-dom4j:dom4j-1.6.1	details Description: dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external docume... Attack Vector: NETWORK Attack Complexity: LOW `ID: yi2%2Bxe4oFOGPH8ZHfXHEL2iiPVavB0mttimit%2Fx9F9E%3D` Vulnerable Package
S3 Bucket ACL Allows Read Or Write to All Users	/Unsecure_Storage_of_Encryption_Key.tf: 3	details S3 Buckets should not be readable and writable to all users `ID: 6Thw0lyGNGEJB8XM6dmCXQ2gGJs%3D`
S3 Bucket ACL Allows Read Or Write to All Users	/s3.tf: 3	details S3 Buckets should not be readable and writable to all users `ID: %2FeJt8JbddaXPnxxxXGfpX3sBe7w%3D`
S3 Bucket Access to Any Principal	/s3_with_all_permissions.tf: 5	details S3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data ... `ID: qO3unOAJQbhy9%2BHGXzA21x%2FBUHM%3D`
S3 Bucket Allows Delete Action From All Principals	/s3_with_all_permissions.tf: 5	details S3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized... `ID: j6z7Nppuf3vonyn6ZDSKClAqRBE%3D`
S3 Bucket With All Permissions	/s3_with_all_permissions.tf: 5	details S3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering /... `ID: hVS%2Fma8QNjRQLpDP5opWikaW1aI%3D`
SQL_Injection	/src/main/webapp/ForgotPassword.jsp: 42	details The application's ForgotPassword method executes an SQL query with executeQuery, at line 42 of /src/main/webapp/ForgotPassword.jsp. The applicati... `ID: Ap7yui1qhISu2YpARj28EIUKCk0%3D` Attack Vector
SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/sqs.java: 25	details The application's getId method executes an SQL query with executeQuery, at line 37 of /src/main/java/org/cysecurity/cspf/jvl/controller/sqs.java.... `ID: rE3i14B1QiwlAAnE3e%2BikfWKUzo%3D` Attack Vector
SQL_Injection	/src/main/webapp/ForgotPassword.jsp: 42	details The application's ForgotPassword method executes an SQL query with executeQuery, at line 42 of /src/main/webapp/ForgotPassword.jsp. The applicati... `ID: h27cjKm3Y5pkb6pf2Ts4NdMqFiA%3D` Attack Vector
Stored_XSS	/src/main/webapp/ForgotPassword.jsp: 42	details The method ForgotPassword embeds untrusted data in generated output with print, at line 44 of /src/main/webapp/ForgotPassword.jsp. This untrusted... `ID: TduBZLvxfPUX53uY04mn4tSMJLI%3D` Attack Vector
CVE-2015-6420	Maven-commons-collections:commons-collections-3.2.1	details Recommended version: 3.2.2 Description: Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, a... Attack Vector: NETWORK Attack Complexity: LOW `ID: pSBfFC0v0LZEgfzzd9b7l1RFA%2FZl25L6uHtWEY7uqus%3D` Vulnerable Package

More results are available on the CxOne platform

Fixed Issues (222)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2016-1000027~~	Maven-org.springframework:spring-webmvc-5.3.19
	~~CVE-2016-1000027~~	Maven-org.springframework:spring-web-5.3.19
	~~CVE-2021-28235~~	Go-go.etcd.io/etcd/server/v3-v3.5.0
	~~CVE-2022-1471~~	Maven-org.yaml:snakeyaml-1.29
	~~CVE-2022-1996~~	Go-github.com/emicklei/go-restful-v2.9.5
	~~CVE-2024-31573~~	Maven-org.xmlunit:xmlunit-core-2.8.4
	~~Command_Injection~~	/src/main/java/com/rest/controller/test/controller/UtilController.java: 12
	~~Cx0b915a4a-2d97~~	Npm-scs-0.0.1
	~~Cx18e041aa-8a63~~	Npm-node-ipc-9.2.2
	~~Cx4ca27ec0-0c96~~	Npm-scs-0.0.1
	~~Cx6bee2138-4df0~~	Npm-flow-dev-tools-99.10.9
	~~Cx8147ddef-ae09~~	Python-azure-powerbiembedded-6969.99.99
	~~Cx86e7ca06-a018~~	Python-not-particularly-2.5.0
	~~Cxae9d1b09-2adb~~	Npm-scs-0.0.1
	~~Cxbec87a55-fe55~~	Npm-node-ipc-9.2.2
	~~Cxccd8b30c-808c~~	Npm-scs-0.0.1
	~~Cxd55dbf56-4d06~~	Npm-scs-0.0.1
	~~Stored_XSS~~	/src/main/java/com/rest/controller/test/controller/UtilController.java: 14
	~~CVE-2016-10707~~	Npm-jquery-1.6.4
	~~CVE-2017-1000048~~	Npm-qs-6.0.0
	~~CVE-2020-7212~~	Python-urllib3-1.25.7
	~~CVE-2021-33503~~	Python-urllib3-1.25.7
	~~CVE-2022-21698~~	Go-github.com/prometheus/client_golang-v1.11.0
	~~CVE-2022-24999~~	Npm-qs-6.0.0
	~~CVE-2022-25857~~	Maven-org.yaml:snakeyaml-1.29
	~~CVE-2022-27191~~	Go-golang.org/x/crypto-v0.0.0-20211202192323-5770296d904e
	~~CVE-2022-28948~~	Go-gopkg.in/yaml.v3-v3.0.0-20210107192922-496545a6307b
	~~CVE-2022-32149~~	Go-golang.org/x/text-v0.3.7
	~~CVE-2022-3248~~	Go-github.com/openshift/api-v0.0.0-20220315184754-d7c10d0b647e
	~~CVE-2022-41723~~	Go-golang.org/x/net-v0.0.0-20220225172249-27dd8689420f
	~~CVE-2022-42003~~	Maven-com.fasterxml.jackson.core:jackson-databind-2.13.2.1
	~~CVE-2022-42004~~	Maven-com.fasterxml.jackson.core:jackson-databind-2.13.2.1
	~~CVE-2022-42252~~	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62
	~~CVE-2022-45143~~	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62
	~~CVE-2023-1370~~	Maven-net.minidev:json-smart-2.4.8
	~~CVE-2023-20860~~	Maven-org.springframework:spring-webmvc-5.3.19
	~~CVE-2023-20883~~	Maven-org.springframework.boot:spring-boot-autoconfigure-2.6.7
	~~CVE-2023-24998~~	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62
	~~CVE-2023-37788~~	Go-github.com/elazarl/goproxy-v0.0.0-20180725130230-947c36da3153
	~~CVE-2023-39325~~	Go-golang.org/x/net-v0.0.0-20220225172249-27dd8689420f
	~~CVE-2023-43804~~	Python-urllib3-1.25.7
	~~CVE-2023-44487~~	Go-k8s.io/apimachinery-v0.23.5
	~~CVE-2023-44487~~	Go-google.golang.org/grpc-v1.40.0
	~~CVE-2023-44487~~	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62
	~~CVE-2023-44487~~	Go-k8s.io/apiserver-v0.23.5
	~~CVE-2023-45142~~	Go-go.opentelemetry.io/contrib-v0.20.0
	~~CVE-2023-45142~~	Go-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.20.0
	~~CVE-2023-45288~~	Go-golang.org/x/net-v0.0.0-20220225172249-27dd8689420f
	~~CVE-2023-46589~~	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62
	~~CVE-2023-47108~~	Go-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc-v0.20.0
	~~CVE-2023-47108~~	Go-go.opentelemetry.io/contrib-v0.20.0
	~~CVE-2023-6378~~	Maven-ch.qos.logback:logback-core-1.2.11
	~~CVE-2023-6378~~	Maven-ch.qos.logback:logback-classic-1.2.11
	~~CVE-2023-6481~~	Maven-ch.qos.logback:logback-core-1.2.11
	~~CVE-2024-22243~~	Maven-org.springframework:spring-web-5.3.19
	~~CVE-2024-22259~~	Maven-org.springframework:spring-web-5.3.19
	~~CVE-2024-22262~~	Maven-org.springframework:spring-web-5.3.19
	~~CVE-2024-23672~~	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62
	~~CVE-2024-23672~~	Maven-org.apache.tomcat.embed:tomcat-embed-websocket-9.0.62
	~~CVE-2024-24549~~	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62

More results are available on the CxOne platform

Policy Management Violations (1)

Policy Name: No highs or mediums

Rule Name: No Highs or Mediums
Scanner: SAST
Entity: Vulnerability
Conditions(s): High > 0, Medium > 0

Issue	Source File / Package	Checkmarx Insight
Absolute_Path_Traversal	: 0	Attack Vector
Connection_String_Injection	: 0	Attack Vector
Connection_String_Injection	: 0	Attack Vector
Connection_String_Injection	: 0	Attack Vector
Improper_Restriction_of_XXE_Ref	: 0	Attack Vector
Missing_HSTS_Header	: 0	Attack Vector
Privacy_Violation	: 0	Attack Vector
Privacy_Violation	: 0	Attack Vector
Privacy_Violation	: 0	Attack Vector
Privacy_Violation	: 0	Attack Vector
Privacy_Violation	: 0	Attack Vector
Privacy_Violation	: 0	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	: 0	Attack Vector

fix: pom.xml to reduce vulnerabilities

e4da990

The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-11520814 - https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-11799151

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Snyk] Fix for 2 vulnerabilities#154

[Snyk] Fix for 2 vulnerabilities#154
tyleragypt wants to merge 1 commit intomasterfrom
snyk-fix-e341d923d0e757ac512c8c79acbd2853

tyleragypt commented Aug 14, 2025

Uh oh!

tyleragypt commented Aug 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

tyleragypt commented Aug 14, 2025

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

Vulnerabilities that will be fixed with an upgrade:

Uh oh!

tyleragypt commented Aug 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants