Add files via upload #52
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-10237
Check Name: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
Severity: MEDIUM
Fixed Version: 24.1.1-jre, 24.1.1-android
Description: Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-10237
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-8908
Check Name: guava: local information disclosure via temporary directory created with unsafe permissions
Severity: LOW
Fixed Version: 30.0
Description: A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-8908
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2023-24998
Check Name: Apache Commons FileUpload: FileUpload DoS with excessive parts
Severity: HIGH
Fixed Version: 1.5
Description: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2023-24998
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2021-29425
Check Name: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6
Severity: MEDIUM
Fixed Version: 2.7
Description: In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2021-29425
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-41853
Check Name: hsqldb: Untrusted input may lead to RCE attack
Severity: CRITICAL
Fixed Version: 2.7.1
Description: Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-41853
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2020-13692
Check Name: postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
Severity: HIGH
Fixed Version: 42.2.13
Description: PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2020-13692
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-22978
Check Name: springframework: Authorization Bypass in RegexRequestMatcher
Severity: CRITICAL
Fixed Version: 5.5.7, 5.6.4
Description: In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-22978
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2016-5007
Check Name: spring: Path matching inconsistency
Severity: HIGH
Fixed Version: 4.1.1.RELEASE
Description: Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2016-5007
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2021-22112
Check Name: jenkins: Privilege escalation vulnerability in bundled Spring Security library
Severity: HIGH
Fixed Version: 5.2.9.RELEASE, 5.3.8.RELEASE, 5.4.4
Description: Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2021-22112
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-22976
Check Name: springframework: BCrypt skips salt rounds for work factor of 31
Severity: MEDIUM
Fixed Version: 5.5.7, 5.6.4
Description: Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-22976
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2021-22112
Check Name: jenkins: Privilege escalation vulnerability in bundled Spring Security library
Severity: HIGH
Fixed Version: 5.2.9, 5.4.4
Description: Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2021-22112
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-22965
Check Name: spring-framework: RCE via Data Binding on JDK 9+
Severity: CRITICAL
Fixed Version: 5.2.20.RELEASE, 5.3.18
Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-22965
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: GHSA-36p3-wjmg-h94x
Check Name: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Severity: UNKNOWN
Fixed Version: 5.2.20, 5.3.18
Description: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-webflux.
[This comment was created by Aqua Pipeline]
Read more at GHSA-36p3-wjmg-h94x
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1270
Check Name: spring-framework: Possible RCE via spring messaging
Severity: CRITICAL
Fixed Version: 4.3.16
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1270
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1275
Check Name: spring-framework: Address partial fix for CVE-2018-1270
Severity: CRITICAL
Fixed Version: 4.3.16, 5.0.5
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1275
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2016-5007
Check Name: spring: Path matching inconsistency
Severity: HIGH
Fixed Version: 4.3.1.RELEASE
Description: Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2016-5007
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2016-9878
Check Name: Spring Framework: Directory Traversal in the Spring Framework ResourceServlet
Severity: HIGH
Fixed Version: 3.2.18, 4.2.9, 4.3.5
Description: An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2016-9878
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1272
Check Name: spring-framework: Multipart content pollution
Severity: HIGH
Fixed Version: 4.3.15, 5.0.5
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1272
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-15756
Check Name: springframework: DoS Attack via Range Requests
Severity: HIGH
Fixed Version: 5.1.1, 4.3.20
Description: Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-15756
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1275
Check Name: spring-framework: Address partial fix for CVE-2018-1270
Severity: CRITICAL
Fixed Version: 4.3.16, 5.0.5
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1275
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2019-11272
Check Name: spring-security-core: mishandling of user passwords allows logging in with a password of NULL
Severity: HIGH
Fixed Version: 4.3.0.RELEASE
Description: Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2019-11272
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1257
Check Name: spring-framework: ReDoS Attack with spring-messaging
Severity: MEDIUM
Fixed Version: 4.3.17
Description: Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1257
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2016-5007
Check Name: spring: Path matching inconsistency
Severity: HIGH
Fixed Version: 4.3.1.RELEASE
Description: Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2016-5007
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2016-9878
Check Name: Spring Framework: Directory Traversal in the Spring Framework ResourceServlet
Severity: HIGH
Fixed Version: 3.2.18, 4.2.9, 4.3.5
Description: An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2016-9878
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-1271
Check Name: spring-framework: Directory traversal vulnerability with static resources on Windows filesystems
Severity: MEDIUM
Fixed Version: 4.3.15
Description: Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-1271
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2019-3795
Check Name: spring-security-core: Insecure randomness when using a secureRandom instance constructed by Spring Security
Severity: MEDIUM
Fixed Version: 4.3.0.RELEASE, 5.0.13.RELEASE, 5.1.6.RELEASE
Description: Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2019-3795
| @@ -0,0 +1,234 @@ | |||
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2018-15756
Check Name: springframework: DoS Attack via Range Requests
Severity: HIGH
Fixed Version: 5.1.1, 4.3.20
Description: Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2018-15756
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-37601
Check Name: loader-utils: prototype pollution in function parseQuery in parseQuery.js
Severity: CRITICAL
Fixed Version: 1.4.1, 2.0.3
Description: Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-37601
| @@ -0,0 +1,1032 @@ | |||
| # THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. | |||
There was a problem hiding this comment.
⚠️ Aqua detected vulnerability in your code
Vulnerability ID: CVE-2022-37599
Check Name: A Regular expression denial of service (ReDoS) flaw was found in Funct ...
Severity: HIGH
Fixed Version: 3.2.1, 2.0.4, 1.4.2
Description: A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the resourcePath variable in interpolateName.js.
[This comment was created by Aqua Pipeline]
Read more at https://avd.aquasec.com/nvd/cve-2022-37599
No description provided.