CVE-2023-24998 (High) detected in tomcat-embed-core-9.0.37.jar, tomcat-embed-core-8.5.15.jar

[mend-for-github-com]

CVE-2023-24998 - High Severity Vulnerability

Vulnerable Libraries - tomcat-embed-core-9.0.37.jar, tomcat-embed-core-8.5.15.jar

tomcat-embed-core-9.0.37.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /poweriq-worker/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.37/tomcat-embed-core-9.0.37.jar

Dependency Hierarchy:

• ❌ tomcat-embed-core-9.0.37.jar (Vulnerable Library)

tomcat-embed-core-8.5.15.jar

Core Tomcat implementation

Library home page: http://tomcat.apache.org/

Path to dependency file: /operation-expert/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar

Dependency Hierarchy:

• spring-boot-starter-hateoas-1.4.7.RELEASE.jar (Root Library)
  • spring-boot-starter-web-1.4.7.RELEASE.jar
    • spring-boot-starter-tomcat-1.4.7.RELEASE.jar
      • ❌ tomcat-embed-core-8.5.15.jar (Vulnerable Library)

Found in HEAD commit: dd01a1d4381c7a3b94ba25748c015a094c33088e

Found in base branch: master

Vulnerability Details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.

Publish Date: 2023-02-20

URL: CVE-2023-24998

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-10.html

Release Date: 2023-02-20

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.71

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-hateoas): 1.5.0.RELEASE

---

⛑️ Automatic Remediation will be attempted for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.