CVE-2019-17563 (High) detected in multiple libraries - autoclosed

[mend-for-github.lhy31512.workers.dev]

CVE-2019-17563 - High Severity Vulnerability

Vulnerable Libraries - tomcat-embed-core-7.0.0.jar, tomcat-embed-core-7.0.37.jar, tomcat-embed-core-8.5.35.jar, tomcat-embed-core-8.5.34.jar

tomcat-embed-core-7.0.0.jar

Core Tomcat implementation

Path to dependency file: /dd-java-agent/instrumentation/java-concurrent/lambda-testing/lambda-testing.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar,/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar

Dependency Hierarchy:

• ❌ tomcat-embed-core-7.0.0.jar (Vulnerable Library)

tomcat-embed-core-7.0.37.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /dd-java-agent/instrumentation/jsp-2.3/jsp-2.3.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.37/13754cedeae4b94451b4563111fad71dab9ae619/tomcat-embed-core-7.0.37.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.37/13754cedeae4b94451b4563111fad71dab9ae619/tomcat-embed-core-7.0.37.jar

Dependency Hierarchy:

• ❌ tomcat-embed-core-7.0.37.jar (Vulnerable Library)

tomcat-embed-core-8.5.35.jar

Core Tomcat implementation

Path to dependency file: /dd-smoke-tests/springboot/springboot.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.35/9c459829e1aa72669203dbbf6648dc3b6314644c/tomcat-embed-core-8.5.35.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.35/9c459829e1aa72669203dbbf6648dc3b6314644c/tomcat-embed-core-8.5.35.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.18.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.5.18.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.35.jar (Vulnerable Library)

tomcat-embed-core-8.5.34.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /dd-java-agent/instrumentation/spring-webmvc-3.1/spring-webmvc-3.1.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.34/a038040d68a90397f95dd1e11b979fe364a5000f/tomcat-embed-core-8.5.34.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.17.RELEASE.jar (Root Library)
  • spring-boot-starter-tomcat-1.5.17.RELEASE.jar
    • ❌ tomcat-embed-core-8.5.34.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Publish Date: 2019-12-23

URL: CVE-2019-17563

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563

Release Date: 2019-12-23

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.50

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.50

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

---

⛑️ Automatic Remediation is available for this issue

[mend-for-github.lhy31512.workers.dev]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.