vitam-ui icon indicating copy to clipboard operation
vitam-ui copied to clipboard
verified publisher icon ProgrammeVitam

Story #12307: Upgrade spring boot suite

Open ebernard opened this issue 10 months ago • 1 comments

Migration à Spring Boot 3.1. Attention, WIP

ebernard avatar Feb 14 '25 08:02 ebernard

Logo Checkmarx One – Scan Summary & Details1d0fceb8-53df-44ec-9452-cbaabde78180

New Issues (127)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
HIGH CVE-2021-0341 Maven-com.squareup.okhttp3:okhttp-4.2.2
detailsRecommended version: 4.9.2
Description: In "verifyHostName" method of "OkHostnameVerifier.java", there is a possible way to accept a certificate for the wrong domain due to improperly use...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
HIGH CVE-2023-3635 Maven-com.squareup.okio:okio-2.2.2
detailsRecommended version: 3.4.0
Description: GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to Denial Of Service of the Okio c...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
HIGH CVE-2024-47554 Maven-commons-io:commons-io-2.11.0
detailsRecommended version: 2.14.0
Description: Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The "org.apache.commons.io.input.XmlStreamReader" class may excessively consu...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
HIGH Passwords And Secrets - Generic Password /vitamui_vars.yml: 233
detailsQuery to find passwords and secrets in infrastructure code.
HIGH Reflected_XSS /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118
detailsThe method computedInheritedRules embeds untrusted data in generated output with ResponseEntity, at line 293 of /api/api-archive-search/archive-sea...
Attack Vector
HIGH Reflected_XSS /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118
detailsThe method updateArchiveUnitsRules embeds untrusted data in generated output with ResponseEntity, at line 280 of /api/api-archive-search/archive-se...
Attack Vector
HIGH Reflected_XSS /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118
detailsThe method reclassification embeds untrusted data in generated output with ResponseEntity, at line 319 of /api/api-archive-search/archive-search-in...
Attack Vector
HIGH Reflected_XSS /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118
detailsThe method exportDIPByCriteria embeds untrusted data in generated output with ResponseEntity, at line 227 of /api/api-archive-search/archive-search...
Attack Vector
HIGH Reflected_XSS /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118
detailsThe method transferRequest embeds untrusted data in generated output with ResponseEntity, at line 241 of /api/api-archive-search/archive-search-int...
Attack Vector
MEDIUM Absolute_Path_Traversal /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118
detailsMethod getApplicationId at line 118 of /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java ge...
Attack Vector
MEDIUM CVE-2014-3577 Maven-org.apache.httpcomponents:httpclient-4.2.1-atlassian-2
detailsDescription: org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.4-beta1 and HttpAsyncClient before 4.0.2 does not properly v...
Attack Vector: NETWORK
Attack Complexity: MEDIUM
Vulnerable Package
MEDIUM CVE-2020-13956 Maven-org.apache.httpcomponents:httpclient-4.2.1-atlassian-2
detailsDescription: Apache HttpClient can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong ta...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
MEDIUM CVE-2022-24329 Maven-org.jetbrains.kotlin:kotlin-stdlib-1.3.50
detailsRecommended version: 1.6.20
Description: In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
MEDIUM CVE-2023-0833 Maven-com.squareup.okhttp3:okhttp-4.2.2
detailsRecommended version: 4.9.2
Description: A flaw was found in Red Hat's AMQ-Streams, which ships a version of the "OKHttp" component with an information disclosure flaw via an exception tri...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
MEDIUM Improper_Restriction_of_XXE_Ref /api/api-ingest/ingest-internal/src/main/java/fr/gouv/vitamui/ingest/internal/server/rest/IngestInternalController.java: 131
detailsThe convertStringToXMLDocument loads and parses XML using parse, at line 431 of /api/api-ingest/ingest-internal/src/main/java/fr/gouv/vitamui/inges...
Attack Vector
MEDIUM Improper_Restriction_of_XXE_Ref /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 118
detailsThe convertStringToXMLDocument loads and parses XML using parse, at line 431 of /api/api-ingest/ingest-internal/src/main/java/fr/gouv/vitamui/inges...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/TenantInternalController.java: 143
detailsMethod create at line 143 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/TenantInternalController.java gets us...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java: 222
detailsMethod create at line 222 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java gets ...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java: 222
detailsMethod create at line 222 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java gets ...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java: 222
detailsMethod create at line 222 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java gets ...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/TenantInternalController.java: 143
detailsMethod create at line 143 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/TenantInternalController.java gets us...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java: 207
detailsMethod update at line 207 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java gets ...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java: 232
detailsMethod patch at line 232 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java gets u...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/TenantInternalController.java: 143
detailsMethod create at line 143 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/TenantInternalController.java gets us...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 224
detailsMethod getUser at line 224 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java gets user...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 208
detailsMethod getUsersByEmail at line 208 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java g...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 123
detailsMethod login at line 123 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java gets user i...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java: 222
detailsMethod create at line 222 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CustomerInternalController.java gets ...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/GroupInternalController.java: 189
detailsMethod create at line 189 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/GroupInternalController.java gets use...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java: 150
detailsMethod getHttpContext at line 150 of /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/InternalSecurityService.java gets...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 192
detailsMethod changePassword at line 192 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java ge...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/TenantInternalController.java: 143
detailsMethod create at line 143 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/TenantInternalController.java gets us...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 283
detailsMethod logout at line 283 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java gets user ...
Attack Vector
MEDIUM Parameter_Tampering /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java: 283
detailsMethod logout at line 283 of /api/api-iam/iam-internal/src/main/java/fr/gouv/vitamui/iam/internal/server/rest/CasInternalController.java gets user ...
Attack Vector

More results are available on the CxOne platform

Fixed Issues (253) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
HIGH ~~CVE-2023-34054~~ Maven-io.projectreactor.netty:reactor-netty-core-1.0.32
HIGH ~~CVE-2023-34062~~ Maven-io.projectreactor.netty:reactor-netty-http-1.0.32
HIGH ~~CVE-2023-44487~~ Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.75
HIGH ~~CVE-2023-44487~~ Maven-io.netty:netty-codec-http2-4.1.92.Final
HIGH ~~CVE-2023-46589~~ Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.75
HIGH ~~CVE-2023-6378~~ Maven-ch.qos.logback:logback-classic-1.2.12
HIGH ~~CVE-2023-6378~~ Maven-ch.qos.logback:logback-core-1.2.12
HIGH ~~CVE-2023-6481~~ Maven-ch.qos.logback:logback-core-1.2.12
HIGH ~~CVE-2024-23672~~ Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.75
HIGH ~~CVE-2024-23672~~ Maven-org.apache.tomcat.embed:tomcat-embed-websocket-9.0.75
HIGH ~~CVE-2024-24549~~ Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.75
HIGH ~~Passwords And Secrets - Generic Password~~ /vitamui_vars.yml: 220
HIGH ~~Reflected_XSS~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
HIGH ~~Reflected_XSS~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
HIGH ~~Reflected_XSS~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
HIGH ~~Reflected_XSS~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
HIGH ~~Reflected_XSS~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Absolute_Path_Traversal~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~CVE-2020-15250~~ Maven-junit:junit-4.13
MEDIUM ~~CVE-2022-22970~~ Maven-org.springframework:spring-beans-5.3.19
MEDIUM ~~CVE-2023-41080~~ Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.75
MEDIUM ~~CVE-2023-42794~~ Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.75
MEDIUM ~~CVE-2023-42795~~ Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.75
MEDIUM ~~CVE-2023-45648~~ Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.75
MEDIUM ~~CVE-2023-51074~~ Maven-com.jayway.jsonpath:json-path-2.5.0
MEDIUM ~~CVE-2024-29025~~ Maven-io.netty:netty-codec-http-4.1.92.Final
MEDIUM ~~Improper_Restriction_of_XXE_Ref~~ /api/api-ingest/ingest-external/src/main/java/fr/gouv/vitamui/ingest/server/rest/IngestController.java: 131
MEDIUM ~~Improper_Restriction_of_XXE_Ref~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 109
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172
MEDIUM ~~Privacy_Violation~~ /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/ExternalSecurityService.java: 172

More results are available on the CxOne platform

vitam-prg avatar Feb 14 '25 08:02 vitam-prg