Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Fix for 46 vulnerabilities #52

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

[Snyk] Fix for 46 vulnerabilities #52

wants to merge 1 commit into from

Conversation

snyk-bot
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • webgoat-lessons/pom.xml

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Upgrade Breaking Change Exploit Maturity Reachability
critical severity 680/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 9.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
medium severity 530/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
medium severity 490/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
medium severity 530/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
medium severity 490/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
medium severity 530/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.1		 Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
high severity 600/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
medium severity 490/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.3		 Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
medium severity 535/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.2		 Deserialization of Untrusted Data
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
high severity 650/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.5		 Arbitrary Code Execution
SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176		 com.thoughtworks.xstream:xstream:
1.4.7 -> 1.4.18
No Proof of Concept No Path Found
medium severity 415/1000
Why? Has a fix available, CVSS 5.3		 NULL Pointer Dereference
SNYK-JAVA-IOUNDERTOW-1053957		 No No Known Exploit No Path Found
high severity 525/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JAVA-IOUNDERTOW-1064578		 No No Known Exploit No Path Found
high severity 600/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JAVA-IOUNDERTOW-1537664		 No Proof of Concept No Path Found
medium severity 390/1000
Why? Has a fix available, CVSS 4.8		 Security Bypass
SNYK-JAVA-IOUNDERTOW-567266		 No No Known Exploit No Path Found
high severity 520/1000
Why? Has a fix available, CVSS 7.4		 XML External Entity (XXE) Injection
SNYK-JAVA-ORGDOM4J-565810		 No No Known Exploit No Path Found
high severity 568/1000
Why? Has a fix available, CVSS 8.2		 SQL Injection
SNYK-JAVA-ORGHIBERNATE-1041788		 No No Known Exploit No Path Found
high severity 555/1000
Why? Has a fix available, CVSS 8.1		 SQL Injection
SNYK-JAVA-ORGHIBERNATE-584563		 No No Known Exploit No Path Found
medium severity 483/1000
Why? Has a fix available, CVSS 6.5		 Cross-site Scripting (XSS)
SNYK-JAVA-ORGHIBERNATEVALIDATOR-541187		 No No Known Exploit No Path Found
medium severity 415/1000
Why? Has a fix available, CVSS 5.3		 Improper Input Validation
SNYK-JAVA-ORGHIBERNATEVALIDATOR-568163		 No No Known Exploit No Path Found
high severity 550/1000
Why? Has a fix available, CVSS 8		 Remote Code Execution (RCE)
SNYK-JAVA-ORGHSQLDB-3040860		 No No Known Exploit No Path Found
medium severity 415/1000
Why? Has a fix available, CVSS 5.3		 Allocation of Resources Without Limits or Throttling
SNYK-JAVA-ORGJBOSSXNIO-2994360		 No No Known Exploit No Path Found
high severity 580/1000
Why? Has a fix available, CVSS 8.6		 Improper Input Validation
SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832		 No No Known Exploit No Path Found
medium severity 370/1000
Why? Has a fix available, CVSS 4.4		 Privilege Escalation
SNYK-JAVA-ORGSPRINGFRAMEWORK-1296829		 No No Known Exploit No Path Found
medium severity 365/1000
Why? Has a fix available, CVSS 4.3		 Improper Output Neutralization for Logs
SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097		 No No Known Exploit No Path Found
medium severity 365/1000
Why? Has a fix available, CVSS 4.3		 Improper Input Validation
SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878		 No No Known Exploit No Path Found
medium severity 415/1000
Why? Has a fix available, CVSS 5.3		 Denial of Service (DoS)
SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828		 No No Known Exploit No Path Found
critical severity 790/1000
Why? Mature exploit, Has a fix available, CVSS 9.8		 Remote Code Execution
SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751		 No Mature No Path Found
low severity 410/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Improper Handling of Case Sensitivity
SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634		 No Proof of Concept No Path Found
medium severity 415/1000
Why? Has a fix available, CVSS 5.3		 Denial of Service (DoS)
SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313		 No No Known Exploit No Path Found
medium severity 415/1000
Why? Has a fix available, CVSS 5.3		 Allocation of Resources Without Limits or Throttling
SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749		 No No Known Exploit No Path Found
medium severity 475/1000
Why? Has a fix available, CVSS 6.5		 Allocation of Resources Without Limits or Throttling
SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217		 No No Known Exploit No Path Found
high severity 625/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8		 Reflected File Download (RFD)
SNYK-JAVA-ORGSPRINGFRAMEWORK-559346		 No Proof of Concept No Path Found
high severity 540/1000
Why? Has a fix available, CVSS 7.8		 Insecure Temporary File
SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-2438287		 No No Known Exploit No Path Found
high severity 555/1000
Why? Has a fix available, CVSS 8.1		 Access Restriction Bypass
SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-5441321		 No No Known Exploit No Path Found
medium severity 375/1000
Why? Has a fix available, CVSS 4.5		 Privilege Escalation
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-1078232		 No No Known Exploit No Path Found
low severity 313/1000
Why? Has a fix available, CVSS 3.1		 Timing Attack
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-1290497		 No No Known Exploit No Path Found
high severity 635/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 8.2		 Authorization Bypass
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-2833359		 No Proof of Concept No Path Found
medium severity 475/1000
Why? Has a fix available, CVSS 6.5		 Cryptographic Weakness
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-570204		 No No Known Exploit No Path Found
high severity 555/1000
Why? Has a fix available, CVSS 8.1		 Remote Code Execution
SNYK-JAVA-ORGTHYMELEAF-1915389		 No No Known Exploit No Path Found
medium severity 475/1000
Why? Has a fix available, CVSS 6.5		 Cross-site Scripting (XSS)
SNYK-JAVA-ORGTHYMELEAFEXTRAS-572299		 No No Known Exploit No Path Found
high severity 525/1000
Why? Has a fix available, CVSS 7.5		 Denial of Service (DoS)
SNYK-JAVA-ORGYAML-2806360		 No No Known Exploit No Path Found
low severity 410/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 3.7		 Stack-based Buffer Overflow
SNYK-JAVA-ORGYAML-3016888		 No Proof of Concept No Path Found
low severity 335/1000
Why? Has a fix available, CVSS 3.7		 Stack-based Buffer Overflow
SNYK-JAVA-ORGYAML-3016889		 No No Known Exploit No Path Found
medium severity 440/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 4.3		 Stack-based Buffer Overflow
SNYK-JAVA-ORGYAML-3016891		 No Proof of Concept No Path Found
low severity 335/1000
Why? Has a fix available, CVSS 3.7		 Stack-based Buffer Overflow
SNYK-JAVA-ORGYAML-3113851		 No No Known Exploit No Path Found
medium severity 495/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 5.4		 Denial of Service (DoS)
SNYK-JAVA-ORGYAML-537645		 No Proof of Concept No Path Found

(*) Note that the real score may have changed since the PR was raised.

Vulnerabilities that could not be fixed

  • Upgrade:
    • Could not upgrade org.owasp.webgoat:webgoat-container@v8.0.0-SNAPSHOT to org.owasp.webgoat:webgoat-container@7.0; Reason could not apply upgrade, dependency is managed externally ; Location: provenance does not contain location

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
馃 View latest project report

馃洜 Adjust project settings

馃摎 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

馃 Deserialization of Untrusted Data
馃 NULL Pointer Dereference
馃 Denial of Service (DoS)
馃 More lessons are available in Snyk Learn

@snyk-bot
fix: webgoat-lessons/pom.xml to reduce vulnerabilities
b203d7b 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540
- https://snyk.io/vuln/SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176
- https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-1053957
- https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-1064578
- https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-1537664
- https://snyk.io/vuln/SNYK-JAVA-IOUNDERTOW-567266
- https://snyk.io/vuln/SNYK-JAVA-ORGDOM4J-565810
- https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-1041788
- https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-584563
- https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATEVALIDATOR-541187
- https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATEVALIDATOR-568163
- https://snyk.io/vuln/SNYK-JAVA-ORGHSQLDB-3040860
- https://snyk.io/vuln/SNYK-JAVA-ORGJBOSSXNIO-2994360
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-1296829
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-3369749
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-5422217
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-559346
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-2438287
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-5441321
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-1078232
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-1290497
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-2833359
- https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-570204
- https://snyk.io/vuln/SNYK-JAVA-ORGTHYMELEAF-1915389
- https://snyk.io/vuln/SNYK-JAVA-ORGTHYMELEAFEXTRAS-572299
- https://snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360
- https://snyk.io/vuln/SNYK-JAVA-ORGYAML-3016888
- https://snyk.io/vuln/SNYK-JAVA-ORGYAML-3016889
- https://snyk.io/vuln/SNYK-JAVA-ORGYAML-3016891
- https://snyk.io/vuln/SNYK-JAVA-ORGYAML-3113851
- https://snyk.io/vuln/SNYK-JAVA-ORGYAML-537645
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@snyk-bot