Skip to content

[Snyk] Security upgrade io.undertow:undertow-core from 2.0.9.Final to 2.3.20.Final#155

Open
tyleragypt wants to merge 1 commit intomasterfrom
snyk-fix-2600f3e9dfb1634064867adbf03c46b2
Open

[Snyk] Security upgrade io.undertow:undertow-core from 2.0.9.Final to 2.3.20.Final#155
tyleragypt wants to merge 1 commit intomasterfrom
snyk-fix-2600f3e9dfb1634064867adbf03c46b2

Conversation

@tyleragypt
Copy link
Copy Markdown
Owner

@tyleragypt tyleragypt commented Oct 23, 2025

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Allocation of Resources Without Limits or Throttling (MadeYouReset)
SNYK-JAVA-IOUNDERTOW-12458577		   585   io.undertow:undertow-core:
2.0.9.Final -> 2.3.20.Final
No Path Found No Known Exploit

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@snyk-bot
fix: pom.xml to reduce vulnerabilities
21c449a 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-12458577
@tyleragypt
Copy link
Copy Markdown
Owner Author

tyleragypt commented Oct 23, 2025

Logo
Checkmarx One – Scan Summary & Detailsaee920fe-ca56-455d-97f6-8a9e535ea81f

New Issues (160)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2015-2575 Maven-mysql:mysql-connector-java-5.1.26
detailsRecommended version: 5.1.35
Description: Improper Access Control vulnerability in the MySQL Connectors component in Oracle MySQL versions prior to 5.1.35 allows remote authenticated users ...
Attack Vector: NETWORK
Attack Complexity: LOW
Exploitable Path: [email protected]/SendMessage.java - ... - [email protected]/StringUtils.java

ID: q6OMX1gkNiQVVQT8q7YDAmJcsaRD%2BI1Rwbn12XuFxJE%3D
Vulnerable Package
CRITICAL CVE-2015-4852 Maven-commons-collections:commons-collections-3.2.1
detailsRecommended version: 3.2.2
Description: The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary comman...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: k6VhUd%2BTIVHhgbpqWoqBjeS4RbCQChuENWUnstx6AKo%3D
Vulnerable Package
CRITICAL CVE-2015-7501 Maven-commons-collections:commons-collections-3.2.1
detailsRecommended version: 3.2.2
Description: Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: vy5EYGXMIsuQgwaBuk3V%2B9w3ZjAbKu5DqaYx1n6VF88%3D
Vulnerable Package
CRITICAL CVE-2016-2170 Maven-commons-collections:commons-collections-3.2.1
detailsRecommended version: 3.2.2
Description: Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: qQe%2FD6sushE%2FHHOV15s1JpwDlHF3N7HbA7Y6nyt%2BIfs%3D
Vulnerable Package
CRITICAL CVE-2020-10683 Maven-dom4j:dom4j-1.6.1
detailsDescription: dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external docume...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: Brg0m5dI6fOB4C1DeFkXAYhAUMW82OBeMw0ejsLZQNE%3D
Vulnerable Package
CRITICAL CVE-2020-1938 Maven-org.apache.tomcat:tomcat-coyote-9.0.22
detailsRecommended version: 9.0.108
Description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections a...
Attack Vector: NETWORK
Attack Complexity: LOW
Exploitable Path: [email protected]/AddPageVuln.java - ... - [email protected]

ID: LrzCm%2F6eQOparje7hY4wUKXk3U1Hmq5RLZhr%2FvgjQsc%3D
Vulnerable Package
CRITICAL S3 Bucket ACL Allows Read Or Write to All Users /s3.tf: 3
detailsS3 Buckets should not be readable and writable to all users
ID: %2FeJt8JbddaXPnxxxXGfpX3sBe7w%3D
CRITICAL S3 Bucket ACL Allows Read Or Write to All Users /Unsecure_Storage_of_Encryption_Key.tf: 3
detailsS3 Buckets should not be readable and writable to all users
ID: 6Thw0lyGNGEJB8XM6dmCXQ2gGJs%3D
CRITICAL S3 Bucket Access to Any Principal /s3_with_all_permissions.tf: 5
detailsS3 Buckets must not allow Actions From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized data ...
ID: qO3unOAJQbhy9%2BHGXzA21x%2FBUHM%3D
CRITICAL S3 Bucket Allows Delete Action From All Principals /s3_with_all_permissions.tf: 5
detailsS3 Buckets must not allow Delete Action From All Principals, as to prevent leaking private information to the entire internet or allow unauthorized...
ID: j6z7Nppuf3vonyn6ZDSKClAqRBE%3D
CRITICAL S3 Bucket With All Permissions /s3_with_all_permissions.tf: 5
detailsS3 Buckets should not have all permissions, as to prevent leaking private information to the entire internet or allow unauthorized data tampering /...
ID: hVS%2Fma8QNjRQLpDP5opWikaW1aI%3D
CRITICAL SQL_Injection /src/main/webapp/ForgotPassword.jsp: 42
detailsThe application's ForgotPassword method executes an SQL query with executeQuery, at line 42 of /src/main/webapp/ForgotPassword.jsp. The applicati...
ID: Ap7yui1qhISu2YpARj28EIUKCk0%3D
Attack Vector
CRITICAL SQL_Injection /src/main/java/org/cysecurity/cspf/jvl/controller/sqs.java: 25
detailsThe application's getId method executes an SQL query with executeQuery, at line 37 of /src/main/java/org/cysecurity/cspf/jvl/controller/sqs.java....
ID: rE3i14B1QiwlAAnE3e%2BikfWKUzo%3D
Attack Vector
CRITICAL SQL_Injection /src/main/webapp/ForgotPassword.jsp: 42
detailsThe application's ForgotPassword method executes an SQL query with executeQuery, at line 42 of /src/main/webapp/ForgotPassword.jsp. The applicati...
ID: h27cjKm3Y5pkb6pf2Ts4NdMqFiA%3D
Attack Vector

More results are available on the CxOne platform

Fixed Issues (212) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
CRITICAL CVE-2016-1000027 Maven-org.springframework:spring-webmvc-5.3.19
CRITICAL CVE-2016-1000027 Maven-org.springframework:spring-web-5.3.19
CRITICAL CVE-2021-28235 Go-go.etcd.io/etcd/server/v3-v3.5.0
CRITICAL CVE-2022-1471 Maven-org.yaml:snakeyaml-1.29
CRITICAL CVE-2022-1996 Go-github.com/emicklei/go-restful-v2.9.5
CRITICAL CVE-2024-31573 Maven-org.xmlunit:xmlunit-core-2.8.4
CRITICAL Command_Injection /src/main/java/com/rest/controller/test/controller/UtilController.java: 12
CRITICAL Cx0b915a4a-2d97 Npm-scs-0.0.1
CRITICAL Cx18e041aa-8a63 Npm-node-ipc-9.2.2
CRITICAL Cx4ca27ec0-0c96 Npm-scs-0.0.1
CRITICAL Cx6bee2138-4df0 Npm-flow-dev-tools-99.10.9
CRITICAL Cx8147ddef-ae09 Python-azure-powerbiembedded-6969.99.99
CRITICAL Cx86e7ca06-a018 Python-not-particularly-2.5.0
CRITICAL Cxae9d1b09-2adb Npm-scs-0.0.1
CRITICAL Cxbec87a55-fe55 Npm-node-ipc-9.2.2
CRITICAL Cxccd8b30c-808c Npm-scs-0.0.1
CRITICAL Cxd55dbf56-4d06 Npm-scs-0.0.1
CRITICAL Stored_XSS /src/main/java/com/rest/controller/test/controller/UtilController.java: 14
HIGH CVE-2016-10707 Npm-jquery-1.6.4
HIGH CVE-2017-1000048 Npm-qs-6.0.0
HIGH CVE-2020-7212 Python-urllib3-1.25.7
HIGH CVE-2021-33503 Python-urllib3-1.25.7
HIGH CVE-2022-21698 Go-github.com/prometheus/client_golang-v1.11.0
HIGH CVE-2022-24999 Npm-qs-6.0.0
HIGH CVE-2022-25857 Maven-org.yaml:snakeyaml-1.29
HIGH CVE-2022-27191 Go-golang.org/x/crypto-v0.0.0-20211202192323-5770296d904e
HIGH CVE-2022-28948 Go-gopkg.in/yaml.v3-v3.0.0-20210107192922-496545a6307b
HIGH CVE-2022-32149 Go-golang.org/x/text-v0.3.7
HIGH CVE-2022-3248 Go-github.com/openshift/api-v0.0.0-20220315184754-d7c10d0b647e
HIGH CVE-2022-41723 Go-golang.org/x/net-v0.0.0-20220225172249-27dd8689420f
HIGH CVE-2022-42003 Maven-com.fasterxml.jackson.core:jackson-databind-2.13.2.1
HIGH CVE-2022-42004 Maven-com.fasterxml.jackson.core:jackson-databind-2.13.2.1
HIGH CVE-2022-45143 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62
HIGH CVE-2023-1370 Maven-net.minidev:json-smart-2.4.8
HIGH CVE-2023-20860 Maven-org.springframework:spring-webmvc-5.3.19
HIGH CVE-2023-20883 Maven-org.springframework.boot:spring-boot-autoconfigure-2.6.7
HIGH CVE-2023-37788 Go-github.com/elazarl/goproxy-v0.0.0-20180725130230-947c36da3153
HIGH CVE-2023-39325 Go-golang.org/x/net-v0.0.0-20220225172249-27dd8689420f
HIGH CVE-2023-43804 Python-urllib3-1.25.7
HIGH CVE-2023-45142 Go-go.opentelemetry.io/contrib-v0.20.0
HIGH CVE-2023-45142 Go-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.20.0
HIGH CVE-2023-45288 Go-golang.org/x/net-v0.0.0-20220225172249-27dd8689420f
HIGH CVE-2023-46589 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62
HIGH CVE-2023-47108 Go-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc-v0.20.0
HIGH CVE-2023-47108 Go-go.opentelemetry.io/contrib-v0.20.0
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-core-1.2.11
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-classic-1.2.11
HIGH CVE-2023-6481 Maven-ch.qos.logback:logback-core-1.2.11
HIGH CVE-2024-22243 Maven-org.springframework:spring-web-5.3.19
HIGH CVE-2024-22259 Maven-org.springframework:spring-web-5.3.19
HIGH CVE-2024-22262 Maven-org.springframework:spring-web-5.3.19
HIGH CVE-2024-23672 Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.62
HIGH CVE-2024-23672 Maven-org.apache.tomcat.embed:tomcat-embed-websocket-9.0.62
HIGH CVE-2024-24786 Go-google.golang.org/protobuf-v1.27.1
HIGH CVE-2024-38809 Maven-org.springframework:spring-web-5.3.19
HIGH Cx0a21eeca-49b1 Npm-scs-0.0.1
HIGH Cx0eb7d3da-c52e Python-azure-powerbiembedded-6969.99.99
HIGH Cx4d89cd75-1e27 Python-azure-powerbiembedded-6969.99.99
HIGH Cx6eb8ff4e-c9cf Npm-flow-dev-tools-99.10.9
HIGH Cx9f739bef-35bb Npm-flow-dev-tools-99.10.9
HIGH Cxb52dba53-66d2 Python-not-particularly-2.5.0

More results are available on the CxOne platform

Policy Management Violations (2)
Policy Name: No highs or mediums
Policy Name: Global Policy The following violations of your team's AppSec policy rules were identified in this project. Since 'Break Build' is enabled for these rules, you must resolve these issues before the Pull Request can be merged. This is the default policy that applies to all projects in your account.

  • Rule Name: DemoRule
    Scanner: SCA

  • Rule Name: AGPL
    Scanner: SCA

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tyleragypt @snyk-bot