spring-boot-demo icon indicating copy to clipboard operation
spring-boot-demo copied to clipboard

Published 20 hours ago verified publisher icon temporalio

spring-boot-starter-actuator-2.7.3.jar: 1 vulnerabilities (highest severity is: 9.8)

Open mend-for-github-com[bot] opened this issue 2 years ago • 0 comments

Vulnerable Library - spring-boot-starter-actuator-2.7.3.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-actuator-autoconfigure/2.7.3/spring-boot-actuator-autoconfigure-2.7.3.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-boot-starter-actuator version) Remediation Possible**
CVE-2023-20873 Critical 9.8 spring-boot-actuator-autoconfigure-2.7.3.jar Transitive 2.7.12

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-20873

Vulnerable Library - spring-boot-actuator-autoconfigure-2.7.3.jar

Spring Boot Actuator AutoConfigure

Library home page: https://spring.io/projects/spring-boot

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-actuator-autoconfigure/2.7.3/spring-boot-actuator-autoconfigure-2.7.3.jar

Dependency Hierarchy:

  • spring-boot-starter-actuator-2.7.3.jar (Root Library)
    • :x: spring-boot-actuator-autoconfigure-2.7.3.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.

Publish Date: 2023-04-20

URL: CVE-2023-20873

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20873

Release Date: 2023-04-20

Fix Resolution (org.springframework.boot:spring-boot-actuator-autoconfigure): 2.7.12

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.7.12

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] avatar Apr 20 '23 19:04 mend-for-github-com[bot]