WS-2021-0172 (Medium) detected in multiple libraries - autoclosed #264
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github.lhy31512.workers.dev
bot
added
the
Mend: dependency security vulnerability
1 task
mend-for-github.lhy31512.workers.dev
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WS-2021-0172 - Medium Severity Vulnerability
spring-web-5.0.0.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.0.RELEASE/f5c2d9d5668534c308a1ca4eda070cd01320af65/spring-web-5.0.0.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.0.RELEASE/f5c2d9d5668534c308a1ca4eda070cd01320af65/spring-web-5.0.0.RELEASE.jar
Dependency Hierarchy:
spring-web-5.0.4.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-webflux-5/spring-webflux-5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.4.RELEASE/9565bbc67bf1a850a6505deaa5103931712a7b80/spring-web-5.0.4.RELEASE.jar
Dependency Hierarchy:
spring-web-5.0.13.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-webflux-5/spring-webflux-5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.0.13.RELEASE/8e66504c87cc26109204b08cf7b6530951265483/spring-web-5.0.13.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
In spring-framework, versions v5.0.0.M1 through v5.0.20.RELEASE are vulnerable to cross-site request forgery (CSRF), due to ‘SameSite’ cookie not implemented
Publish Date: 2021-06-29
URL: WS-2021-0172
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2021-06-29
Fix Resolution (org.springframework:spring-web): 5.1.0.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.1.0.RELEASE
Fix Resolution (org.springframework:spring-web): 5.1.0.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-webflux): 2.1.0.RELEASE
Fix Resolution (org.springframework:spring-web): 5.1.0.RELEASE
Direct dependency fix Resolution (org.springframework:spring-webflux): 5.1.0.RELEASE
⛑️ Automatic Remediation is available for this issue
The text was updated successfully, but these errors were encountered: