DependencyCheck icon indicating copy to clipboard operation
DependencyCheck copied to clipboard
verified publisher icon jeremylong

[FP]: spring-boot-starter-web 3.1.5: CVE-2023-34055

Open AndreyMZ opened this issue 2 years ago • 2 comments

Package URl

pkg:maven/org.springframework.boot/[email protected]

CPE

cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*

CVE

CVE-2023-34055

ODC Integration

{"label"=>"Gradle Plugin"}

ODC Version

9.0.4

Description

Additional information 1

All other spring-boot-* packages are also detected by OWASP DC as affected by this vulnerability.

Additional information 2

In OSS Index for some reason this vulnerability was attributed to spring-boot-actuator and not spring-boot:

  • https://mvnrepository.com/artifact/org.springframework.boot/spring-boot/3.1.5
  • https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator/3.1.5

In other places it is attributed to spring-boot only:

  1. GitHub Advisory Database: https://github.com/advisories?query=ecosystem%3Amaven+CVE-2023-34055
  2. Maven Repository:
    • https://mvnrepository.com/artifact/org.springframework.boot/spring-boot/3.1.5
    • https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-actuator/3.1.5

However, it definitely should not be attributed to all spring-boot-* packages.

AndreyMZ avatar Dec 08 '23 22:12 AndreyMZ

Maven Coordinates

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-web</artifactId>
   <version>3.1.5</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6268
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-web@.*$</packageUrl>
   <cpe>cpe:/a:vmware:spring_boot</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7146868876

github-actions[bot] avatar Dec 08 '23 22:12 github-actions[bot]

Maven Coordinates

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-web</artifactId>
   <version>3.1.5</version>
</dependency>

Suppression rule:

<suppress base="true">
   <notes><![CDATA[
   FP per issue #6268
   ]]></notes>
   <packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-web@.*$</packageUrl>
   <cpe>cpe:/a:vmware:spring_boot</cpe>
</suppress>

Link to test results: https://github.com/jeremylong/DependencyCheck/actions/runs/7147931473

github-actions[bot] avatar Dec 09 '23 00:12 github-actions[bot]