AISAST SCA Report

org.postgresql:postgresql 42.2.5

1 Critical3 High2 Medium1 Low 7 CVEs

▼

CVE-2024-1597 CRITICAL CVSS: 10.0 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.postgresql:postgresql
Version	42.2.5
Fixed In	42.2.28
CVE ID	CVE-2024-1597
CVSS Score	10.0
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-1597
Description	org.postgresql:postgresql vulnerable to SQL Injection via line comment generation

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:32

SOURCEorg.postgresql:postgresql:42.2.5 declared

src/main/java/com/scalesec/vulnado/Postgres.java:18

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/Postgres.java:16

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/User.java:43

SINKuses org.postgresql:postgresql

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Comment.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Postgres.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/User.java

✅ Fix

Upgrade org.postgresql:postgresql to version 42.2.28

CVE-2020-13692 HIGH CVSS: 7.7 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.postgresql:postgresql
Version	42.2.5
Fixed In	42.2.13
CVE ID	CVE-2020-13692
CVSS Score	7.7
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-13692
Description	Improper Restriction of XML External Entity Reference

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:32

SOURCEorg.postgresql:postgresql:42.2.5 declared

src/main/java/com/scalesec/vulnado/Postgres.java:18

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/Postgres.java:16

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/User.java:43

SINKuses org.postgresql:postgresql

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Comment.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Postgres.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/User.java

✅ Fix

Upgrade org.postgresql:postgresql to version 42.2.13

CVE-2022-31197 HIGH CVSS: 7.1 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.postgresql:postgresql
Version	42.2.5
Fixed In	42.2.26
CVE ID	CVE-2022-31197
CVSS Score	7.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-31197
Description	PostgreSQL JDBC Driver SQL Injection in ResultSet.refreshRow() with malicious column names

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:32

SOURCEorg.postgresql:postgresql:42.2.5 declared

src/main/java/com/scalesec/vulnado/Postgres.java:18

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/Postgres.java:16

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/User.java:43

SINKuses org.postgresql:postgresql

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Comment.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Postgres.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/User.java

✅ Fix

Upgrade org.postgresql:postgresql to version 42.2.26

CVE-2022-21724 HIGH CVSS: 7.0 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.postgresql:postgresql
Version	42.2.5
Fixed In	42.2.25
CVE ID	CVE-2022-21724
CVSS Score	7.0
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-21724
Description	pgjdbc Does Not Check Class Instantiation when providing Plugin Classes

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:32

SOURCEorg.postgresql:postgresql:42.2.5 declared

src/main/java/com/scalesec/vulnado/Postgres.java:18

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/Postgres.java:16

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/User.java:43

SINKuses org.postgresql:postgresql

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Comment.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Postgres.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/User.java

✅ Fix

Upgrade org.postgresql:postgresql to version 42.2.25

CVE-2022-41946 MEDIUM CVSS: 4.7 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.postgresql:postgresql
Version	42.2.5
Fixed In	42.2.27
CVE ID	CVE-2022-41946
CVSS Score	4.7
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-41946
Description	TemporaryFolder on unix-like systems does not limit access to created files

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:32

SOURCEorg.postgresql:postgresql:42.2.5 declared

src/main/java/com/scalesec/vulnado/Postgres.java:18

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/Postgres.java:16

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/User.java:43

SINKuses org.postgresql:postgresql

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Comment.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Postgres.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/User.java

✅ Fix

Upgrade org.postgresql:postgresql to version 42.2.27

GHSA-673j-qm5f-xpv8 MEDIUM CVSS: 5.0 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.postgresql:postgresql
Version	42.2.5
Fixed In	42.3.3
CVE ID	GHSA-673j-qm5f-xpv8
CVSS Score	5.0
CVSS Vector
NVD Link	N/A
Description	pgjdbc Arbitrary File Write Vulnerability

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:32

SOURCEorg.postgresql:postgresql:42.2.5 declared

src/main/java/com/scalesec/vulnado/Postgres.java:18

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/Postgres.java:16

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/User.java:43

SINKuses org.postgresql:postgresql

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Comment.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Postgres.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/User.java

✅ Fix

Upgrade org.postgresql:postgresql to version 42.3.3

CVE-2022-26520 LOW CVSS: 2.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.postgresql:postgresql
Version	42.2.5
Fixed In	42.3.3
CVE ID	CVE-2022-26520
CVSS Score	2.5
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-26520
Description	Path traversal in org.postgresql:postgresql

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:32

SOURCEorg.postgresql:postgresql:42.2.5 declared

src/main/java/com/scalesec/vulnado/Postgres.java:18

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/Postgres.java:16

FLOWuses org.postgresql:postgresql

src/main/java/com/scalesec/vulnado/User.java:43

SINKuses org.postgresql:postgresql

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Comment.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/Postgres.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/User.java

✅ Fix

Upgrade org.postgresql:postgresql to version 42.3.3

org.springframework.boot:spring-boot-starter-web 2.1.2.RELEASE

1 Critical 1 CVE

▼

CVE-2022-22965 CRITICAL CVSS: 9.8 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework.boot:spring-boot-starter-web
Version	2.1.2.RELEASE
Fixed In	2.5.12
CVE ID	CVE-2022-22965
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Description	Remote Code Execution in Spring Framework

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework.boot:spring-boot-starter-web:2.1.2.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework.boot:spring-boot-starter-web

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework.boot:spring-boot-starter-web

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework.boot:spring-boot-starter-web

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework.boot:spring-boot-starter-web to version 2.5.12

org.springframework:spring-web 5.1.4.RELEASE

1 Critical3 High2 Medium 6 CVEs

▼

CVE-2016-1000027 CRITICAL CVSS: 9.8 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-web
Version	5.1.4.RELEASE
Fixed In	6.0.0
CVE ID	CVE-2016-1000027
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
Description	Pivotal Spring Framework contains unsafe Java deserialization methods

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-web:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-web

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-web

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-web

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-web to version 6.0.0

CVE-2024-22262 HIGH CVSS: 8.1 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-web
Version	5.1.4.RELEASE
Fixed In	5.3.34
CVE ID	CVE-2024-22262
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-22262
Description	Spring Framework URL Parsing with Host Validation

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-web:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-web

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-web

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-web

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-web to version 5.3.34

CVE-2024-22243 HIGH CVSS: 8.1 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-web
Version	5.1.4.RELEASE
Fixed In	5.3.32
CVE ID	CVE-2024-22243
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-22243
Description	Spring Web vulnerable to Open Redirect or Server Side Request Forgery

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-web:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-web

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-web

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-web

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-web to version 5.3.32

CVE-2024-22259 HIGH CVSS: 8.1 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-web
Version	5.1.4.RELEASE
Fixed In	5.3.33
CVE ID	CVE-2024-22259
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-22259
Description	Spring Framework URL Parsing with Host Validation Vulnerability

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-web:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-web

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-web

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-web

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-web to version 5.3.33

CVE-2024-38809 MEDIUM CVSS: 5.3 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-web
Version	5.1.4.RELEASE
Fixed In	5.3.38
CVE ID	CVE-2024-38809
CVSS Score	5.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-38809
Description	Spring Framework DoS via conditional HTTP request

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-web:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-web

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-web

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-web

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-web to version 5.3.38

CVE-2024-38820 MEDIUM CVSS: 5.3 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-web
Version	5.1.4.RELEASE
Fixed In	6.1.14
CVE ID	CVE-2024-38820
CVSS Score	5.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-38820
Description	Spring Framework DataBinder Case Sensitive Match Exception

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-web:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-web

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-web

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-web

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-web to version 6.1.14

org.springframework:spring-beans 5.1.4.RELEASE

1 Critical1 High 2 CVEs

▼

CVE-2022-22965 CRITICAL CVSS: 9.8 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-beans
Version	5.1.4.RELEASE
Fixed In	5.2.20.RELEASE
CVE ID	CVE-2022-22965
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Description	Remote Code Execution in Spring Framework

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-beans:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-beans

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-beans

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-beans

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-beans to version 5.2.20.RELEASE

CVE-2022-22970 HIGH CVSS: 7.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-beans
Version	5.1.4.RELEASE
Fixed In	5.3.20
CVE ID	CVE-2022-22970
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-22970
Description	Denial of service in Spring Framework

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-beans:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-beans

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-beans

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-beans

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-beans to version 5.3.20

org.springframework:spring-webmvc 5.1.4.RELEASE

1 Critical2 High 3 CVEs

▼

CVE-2022-22965 CRITICAL CVSS: 9.8 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-webmvc
Version	5.1.4.RELEASE
Fixed In	5.2.20.RELEASE
CVE ID	CVE-2022-22965
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-22965
Description	Remote Code Execution in Spring Framework

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-webmvc:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-webmvc

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-webmvc

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-webmvc

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-webmvc to version 5.2.20.RELEASE

CVE-2020-5398 HIGH CVSS: 7.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-webmvc
Version	5.1.4.RELEASE
Fixed In	5.0.16.RELEASE
CVE ID	CVE-2020-5398
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-5398
Description	RFD attack via Content-Disposition header sourced from request input by Spring MVC or Spring WebFlux Application

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-webmvc:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-webmvc

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-webmvc

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-webmvc

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-webmvc to version 5.0.16.RELEASE

CVE-2024-38819 HIGH CVSS: 7.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-webmvc
Version	5.1.4.RELEASE
Fixed In	6.1.14
CVE ID	CVE-2024-38819
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-38819
Description	Spring Framework Path Traversal vulnerability

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-webmvc:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-webmvc

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-webmvc

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-webmvc

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-webmvc to version 6.1.14

org.apache.tomcat.embed:tomcat-embed-core 9.0.14

3 Critical16 High8 Medium2 Low 29 CVEs

▼

CVE-2024-50379 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.98
CVE ID	CVE-2024-50379
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-50379
Description	Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98

CVE-2025-24813 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.99
CVE ID	CVE-2025-24813
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Description	Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.99

CVE-2020-1938 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	7.0.100
CVE ID	CVE-2020-1938
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-1938
Description	Improper Privilege Management in Tomcat

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.100

CVE-2024-56337 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.98
CVE ID	CVE-2024-56337
CVSS Score	7.5
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-56337
Description	Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98

CVE-2024-24549 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.86
CVE ID	CVE-2024-24549
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-24549
Description	Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.86

CVE-2019-0232 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	7.0.94
CVE ID	CVE-2019-0232
CVSS Score	8.1
CVSS Vector	`CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-0232
Description	Apache Tomcat OS Command Injection vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.94

CVE-2019-17563 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	7.0.99
CVE ID	CVE-2019-17563
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-17563
Description	In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.99

CVE-2023-46589 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	8.5.96
CVE ID	CVE-2023-46589
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-46589
Description	Apache Tomcat Improper Input Validation vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.96

CVE-2025-48989 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.108
CVE ID	CVE-2025-48989
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-48989
Description	Apache Tomcat Improper Resource Shutdown or Release vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.108

CVE-2025-48988 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.106
CVE ID	CVE-2025-48988
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-48988
Description	Apache Tomcat - DoS in multipart upload

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106

CVE-2023-24998 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	10.1.5
CVE ID	CVE-2023-24998
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-24998
Description	Apache Commons FileUpload denial of service vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.1.5

CVE-2019-12418 HIGH CVSS: 7.0 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	7.0.99
CVE ID	CVE-2019-12418
CVSS Score	7.0
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-12418
Description	Insufficiently Protected Credentials in Apache Tomcat

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.99

CVE-2021-25122 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	8.5.63
CVE ID	CVE-2021-25122
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2021-25122
Description	Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.63

CVE-2021-25329 HIGH CVSS: 7.0 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	7.0.108
CVE ID	CVE-2021-25329
CVSS Score	7.0
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2021-25329
Description	Potential remote code execution in Apache Tomcat

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.108

CVE-2022-42252 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	8.5.83
CVE ID	CVE-2022-42252
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-42252
Description	Apache Tomcat may reject request containing invalid Content-Length header

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.83

CVE-2019-10072 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	8.5.41
CVE ID	CVE-2019-10072
CVSS Score	7.5
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-10072
Description	Improper Locking in Apache Tomcat

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.41

CVE-2019-0199 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	8.5.38
CVE ID	CVE-2019-0199
CVSS Score	7.5
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-0199
Description	Apache Tomcat Denial of Service vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.38

CVE-2024-34750 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	11.0.0-M21
CVE ID	CVE-2024-34750
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-34750
Description	Apache Tomcat - Denial of Service

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 11.0.0-M21

CVE-2025-55752 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.109
CVE ID	CVE-2025-55752
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-55752
Description	Apache Tomcat Vulnerable to Relative Path Traversal

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.109

CVE-2021-24122 MEDIUM CVSS: 5.9 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	8.5.60
CVE ID	CVE-2021-24122
CVSS Score	5.9
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2021-24122
Description	Information Disclosure in Apache Tomcat

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.60

CVE-2023-42795 MEDIUM CVSS: 5.3 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	10.1.14
CVE ID	CVE-2023-42795
CVSS Score	5.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-42795
Description	Apache Tomcat Incomplete Cleanup vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.1.14

CVE-2019-0221 MEDIUM CVSS: 6.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	7.0.94
CVE ID	CVE-2019-0221
CVSS Score	6.1
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-0221
Description	Cross-site scripting in Apache Tomcat

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.94

CVE-2023-41080 MEDIUM CVSS: 6.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	10.1.13
CVE ID	CVE-2023-41080
CVSS Score	6.1
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-41080
Description	Apache Tomcat Open Redirect vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.1.13

CVE-2023-44487 MEDIUM CVSS: 5.3 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	10.1.14
CVE ID	CVE-2023-44487
CVSS Score	5.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-44487
Description	HTTP/2 Stream Cancellation Attack

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.1.14

CVE-2020-1935 MEDIUM CVSS: 4.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	7.0.100
CVE ID	CVE-2020-1935
CVSS Score	4.8
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-1935
Description	Potential HTTP request smuggling in Apache Tomcat

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.100

CVE-2023-45648 MEDIUM CVSS: 5.3 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	10.1.14
CVE ID	CVE-2023-45648
CVSS Score	5.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-45648
Description	Apache Tomcat Improper Input Validation vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.1.14

CVE-2025-49125 MEDIUM CVSS: 5.0 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.106
CVE ID	CVE-2025-49125
CVSS Score	5.0
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-49125
Description	Apache Tomcat - Security constraint bypass for pre/post-resources

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106

CVE-2025-46701 LOW CVSS: 2.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.105
CVE ID	CVE-2025-46701
CVSS Score	2.5
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-46701
Description	Apache Tomcat - CGI security constraint bypass

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.105

CVE-2025-61795 LOW CVSS: 2.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-core
Version	9.0.14
Fixed In	9.0.110
CVE ID	CVE-2025-61795
CVSS Score	2.5
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-61795
Description	Apache Tomcat Vulnerable to Improper Resource Shutdown or Release

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.110

com.fasterxml.jackson.core:jackson-databind 2.9.8

12 Critical39 High2 Medium 53 CVEs

▼

CVE-2020-8840 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.4
CVE ID	CVE-2020-8840
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-8840
Description	Deserialization of Untrusted Data in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4

CVE-2020-9546 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-9546
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-9546
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2019-14379 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.7.9.6
CVE ID	CVE-2019-14379
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-14379
Description	Deserialization of untrusted data in FasterXML jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.7.9.6

CVE-2019-16335 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-16335
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-16335
Description	Polymorphic Typing issue in FasterXML jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

CVE-2019-17267 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.8.11.5
CVE ID	CVE-2019-17267
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-17267
Description	Improper Input Validation in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.8.11.5

CVE-2019-16943 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-16943
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-16943
Description	jackson-databind polymorphic typing issue

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

CVE-2019-17531 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-17531
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-17531
Description	jackson-databind polymorphic typing issue

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

CVE-2019-20330 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.4
CVE ID	CVE-2019-20330
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-20330
Description	Deserialization of Untrusted Data in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4

CVE-2019-14540 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-14540
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-14540
Description	Polymorphic Typing issue in FasterXML jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

CVE-2019-16942 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-16942
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-16942
Description	Polymorphic Typing in FasterXML jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

CVE-2020-9548 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.7.9.7
CVE ID	CVE-2020-9548
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-9548
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.7.9.7

CVE-2020-9547 CRITICAL CVSS: 9.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.7.9.7
CVE ID	CVE-2020-9547
CVSS Score	9.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-9547
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.7.9.7

CVE-2020-11619 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-11619
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-11619
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2020-25649 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.4
CVE ID	CVE-2020-25649
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-25649
Description	XML External Entity (XXE) Injection in Jackson Databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4

CVE-2020-36518 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.12.6.1
CVE ID	CVE-2020-36518
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36518
Description	Deeply nested json in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.12.6.1

CVE-2020-11112 HIGH CVSS: 8.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-11112
CVSS Score	8.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-11112
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2021-20190 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.5
CVE ID	CVE-2021-20190
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2021-20190
Description	Deserialization of untrusted data in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5

CVE-2020-35728 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.8
CVE ID	CVE-2020-35728
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-35728
Description	Serialization gadget exploit in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8

CVE-2019-12086 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-12086
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-12086
Description	Information exposure in FasterXML jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

CVE-2020-10969 HIGH CVSS: 8.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-10969
CVSS Score	8.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-10969
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2020-36182 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.5
CVE ID	CVE-2020-36182
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36182
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5

CVE-2020-36180 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.5
CVE ID	CVE-2020-36180
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36180
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5

CVE-2020-36185 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.8
CVE ID	CVE-2020-36185
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36185
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8

CVE-2020-10672 HIGH CVSS: 8.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-10672
CVSS Score	8.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-10672
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2020-36179 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.5
CVE ID	CVE-2020-36179
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36179
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5

CVE-2020-36183 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.5
CVE ID	CVE-2020-36183
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36183
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5

CVE-2020-11113 HIGH CVSS: 8.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-11113
CVSS Score	8.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-11113
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2020-14062 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.5
CVE ID	CVE-2020-14062
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-14062
Description	Deserialization of untrusted data in Jackson Databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.5

CVE-2020-14061 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.5
CVE ID	CVE-2020-14061
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-14061
Description	Deserialization of untrusted data in Jackson Databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.5

CVE-2019-14892 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-14892
CVSS Score	7.5
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-14892
Description	Polymorphic deserialization of malicious object in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

CVE-2020-36181 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.5
CVE ID	CVE-2020-36181
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36181
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5

CVE-2020-36188 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.5
CVE ID	CVE-2020-36188
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36188
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5

CVE-2020-10673 HIGH CVSS: 8.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.4
CVE ID	CVE-2020-10673
CVSS Score	8.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-10673
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4

CVE-2019-14439 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-14439
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-14439
Description	Deserialization of untrusted data in FasterXML jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

CVE-2020-24616 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.6
CVE ID	CVE-2020-24616
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-24616
Description	Code Injection in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.6

CVE-2020-11620 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-11620
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-11620
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2020-14060 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.5
CVE ID	CVE-2020-14060
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-14060
Description	Deserialization of untrusted data in Jackson Databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.5

CVE-2022-42003 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.12.7.1
CVE ID	CVE-2022-42003
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-42003
Description	Uncontrolled Resource Consumption in Jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.12.7.1

CVE-2020-36184 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.8
CVE ID	CVE-2020-36184
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36184
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8

CVE-2020-14195 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.5
CVE ID	CVE-2020-14195
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-14195
Description	Deserialization of untrusted data in Jackson Databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.5

CVE-2020-24750 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.5
CVE ID	CVE-2020-24750
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-24750
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5

CVE-2019-14893 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10
CVE ID	CVE-2019-14893
CVSS Score	7.5
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-14893
Description	Polymorphic deserialization of malicious object in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10

CVE-2020-35491 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.8
CVE ID	CVE-2020-35491
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-35491
Description	Serialization gadgets exploit in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8

CVE-2020-36187 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.8
CVE ID	CVE-2020-36187
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36187
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8

CVE-2020-10968 HIGH CVSS: 8.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-10968
CVSS Score	8.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-10968
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2022-42004 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.12.7.1
CVE ID	CVE-2022-42004
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-42004
Description	Uncontrolled Resource Consumption in FasterXML jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.12.7.1

CVE-2020-10650 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-10650
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-10650
Description	jackson-databind vulnerable to unsafe deserialization

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2020-11111 HIGH CVSS: 8.8 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.4
CVE ID	CVE-2020-11111
CVSS Score	8.8
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-11111
Description	jackson-databind mishandles the interaction between serialization gadgets and typing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.4

CVE-2020-36186 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.8
CVE ID	CVE-2020-36186
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36186
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8

CVE-2020-36189 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.5
CVE ID	CVE-2020-36189
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-36189
Description	Unsafe Deserialization in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.5

CVE-2020-35490 HIGH CVSS: 8.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.9.10.8
CVE ID	CVE-2020-35490
CVSS Score	8.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-35490
Description	Serialization gadgets exploit in jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.9.10.8

CVE-2019-12814 MEDIUM CVSS: 5.9 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-12814
CVSS Score	5.9
CVSS Vector	`CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-12814
Description	Deserialization of untrusted data in FasterXML jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

CVE-2019-12384 MEDIUM CVSS: 5.9 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-databind
Version	2.9.8
Fixed In	2.6.7.3
CVE ID	CVE-2019-12384
CVSS Score	5.9
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-12384
Description	Deserialization of Untrusted Data in FasterXML jackson-databind

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.3

org.jsoup:jsoup 1.8.3

1 High1 Medium 2 CVEs

▼

CVE-2021-37714 HIGH CVSS: 7.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.jsoup:jsoup
Version	1.8.3
Fixed In	1.14.2
CVE ID	CVE-2021-37714
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2021-37714
Description	Uncaught Exception in jsoup

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:39

SOURCEorg.jsoup:jsoup:1.8.3 declared

src/main/java/com/scalesec/vulnado/LinkLister.java:3

FLOWuses org.jsoup:jsoup

src/main/java/com/scalesec/vulnado/LinkLister.java:4

FLOWuses org.jsoup:jsoup

src/main/java/com/scalesec/vulnado/LinkLister.java:5

SINKuses org.jsoup:jsoup

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinkLister.java

✅ Fix

Upgrade org.jsoup:jsoup to version 1.14.2

CVE-2022-36033 MEDIUM CVSS: 6.1 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.jsoup:jsoup
Version	1.8.3
Fixed In	1.15.3
CVE ID	CVE-2022-36033
CVSS Score	6.1
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-36033
Description	jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:39

SOURCEorg.jsoup:jsoup:1.8.3 declared

src/main/java/com/scalesec/vulnado/LinkLister.java:3

FLOWuses org.jsoup:jsoup

src/main/java/com/scalesec/vulnado/LinkLister.java:4

FLOWuses org.jsoup:jsoup

src/main/java/com/scalesec/vulnado/LinkLister.java:5

SINKuses org.jsoup:jsoup

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinkLister.java

✅ Fix

Upgrade org.jsoup:jsoup to version 1.15.3

org.springframework.boot:spring-boot 2.1.2.RELEASE

2 High 2 CVEs

▼

CVE-2022-27772 HIGH CVSS: 7.8 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework.boot:spring-boot
Version	2.1.2.RELEASE
Fixed In	2.2.11.RELEASE
CVE ID	CVE-2022-27772
CVSS Score	7.8
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-27772
Description	Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework.boot:spring-boot:2.1.2.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework.boot:spring-boot

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework.boot:spring-boot

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework.boot:spring-boot

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework.boot:spring-boot to version 2.2.11.RELEASE

CVE-2025-22235 HIGH CVSS: 7.3 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework.boot:spring-boot
Version	2.1.2.RELEASE
Fixed In	3.3.11
CVE ID	CVE-2025-22235
CVSS Score	7.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-22235
Description	Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework.boot:spring-boot:2.1.2.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework.boot:spring-boot

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework.boot:spring-boot

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework.boot:spring-boot

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework.boot:spring-boot to version 3.3.11

org.springframework:spring-context 5.1.4.RELEASE

1 High1 Medium1 Low 3 CVEs

▼

CVE-2022-22968 HIGH CVSS: 7.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-context
Version	5.1.4.RELEASE
Fixed In	5.2.21.RELEASE
CVE ID	CVE-2022-22968
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-22968
Description	Improper handling of case sensitivity in Spring Framework

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-context:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-context

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-context

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-context

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-context to version 5.2.21.RELEASE

CVE-2024-38820 MEDIUM CVSS: 5.3 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-context
Version	5.1.4.RELEASE
Fixed In	6.1.14
CVE ID	CVE-2024-38820
CVSS Score	5.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-38820
Description	Spring Framework DataBinder Case Sensitive Match Exception

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-context:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-context

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-context

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-context

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-context to version 6.1.14

CVE-2025-22233 LOW CVSS: 3.1 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-context
Version	5.1.4.RELEASE
Fixed In	6.1.20
CVE ID	CVE-2025-22233
CVSS Score	3.1
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-22233
Description	Spring Framework DataBinder Case Sensitive Match Exception

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-context:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-context

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-context

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-context

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-context to version 6.1.20

org.springframework.boot:spring-boot-autoconfigure 2.1.2.RELEASE

1 High 1 CVE

▼

CVE-2023-20883 HIGH CVSS: 7.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework.boot:spring-boot-autoconfigure
Version	2.1.2.RELEASE
Fixed In	2.5.15
CVE ID	CVE-2023-20883
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-20883
Description	Spring Boot Welcome Page Denial of Service

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework.boot:spring-boot-autoconfigure:2.1.2.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework.boot:spring-boot-autoconfigure

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework.boot:spring-boot-autoconfigure

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework.boot:spring-boot-autoconfigure

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework.boot:spring-boot-autoconfigure to version 2.5.15

org.springframework:spring-expression 5.1.4.RELEASE

1 High3 Medium 4 CVEs

▼

CVE-2023-20863 HIGH CVSS: 7.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-expression
Version	5.1.4.RELEASE
Fixed In	5.3.27
CVE ID	CVE-2023-20863
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-20863
Description	Spring Framework vulnerable to denial of service

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-expression:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-expression

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-expression

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-expression

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-expression to version 5.3.27

CVE-2022-22950 MEDIUM CVSS: 6.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-expression
Version	5.1.4.RELEASE
Fixed In	5.2.20.RELEASE
CVE ID	CVE-2022-22950
CVSS Score	6.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-22950
Description	Allocation of Resources Without Limits or Throttling in Spring Framework

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-expression:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-expression

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-expression

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-expression

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-expression to version 5.2.20.RELEASE

CVE-2023-20861 MEDIUM CVSS: 6.5 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-expression
Version	5.1.4.RELEASE
Fixed In	6.0.7
CVE ID	CVE-2023-20861
CVSS Score	6.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-20861
Description	Spring Framework vulnerable to denial of service via specially crafted SpEL expression

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-expression:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-expression

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-expression

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-expression

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-expression to version 6.0.7

CVE-2024-38808 MEDIUM CVSS: 4.3 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	org.springframework:spring-expression
Version	5.1.4.RELEASE
Fixed In	5.3.39
CVE ID	CVE-2024-38808
CVSS Score	4.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-38808
Description	Spring Framework vulnerable to Denial of Service

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEorg.springframework:spring-expression:5.1.4.RELEASE declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:5

FLOWuses org.springframework:spring-expression

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:6

FLOWuses org.springframework:spring-expression

src/main/java/com/scalesec/vulnado/LinksController.java:3

SINKuses org.springframework:spring-expression

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/VulnadoApplication.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LinksController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/LoginController.java
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/main/java/com/scalesec/vulnado/CowController.java

✅ Fix

Upgrade org.springframework:spring-expression to version 5.3.39

ch.qos.logback:logback-classic 1.2.3

1 High 1 CVE

▼

CVE-2023-6378 HIGH CVSS: 7.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	ch.qos.logback:logback-classic
Version	1.2.3
Fixed In	1.2.13
CVE ID	CVE-2023-6378
CVSS Score	7.1
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-6378
Description	logback serialization vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade ch.qos.logback:logback-classic to version 1.2.13

ch.qos.logback:logback-core 1.2.3

1 High3 Medium1 Low 5 CVEs

▼

CVE-2023-6378 HIGH CVSS: 7.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	ch.qos.logback:logback-core
Version	1.2.3
Fixed In	1.2.13
CVE ID	CVE-2023-6378
CVSS Score	7.1
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-6378
Description	logback serialization vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade ch.qos.logback:logback-core to version 1.2.13

CVE-2025-11226 MEDIUM CVSS: 5.0 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	ch.qos.logback:logback-core
Version	1.2.3
Fixed In	1.3.16
CVE ID	CVE-2025-11226
CVSS Score	5.0
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-11226
Description	QOS.CH logback-core is vulnerable to Arbitrary Code Execution through file processing

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade ch.qos.logback:logback-core to version 1.3.16

CVE-2021-42550 MEDIUM CVSS: 6.6 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	ch.qos.logback:logback-core
Version	1.2.3
Fixed In	1.2.9
CVE ID	CVE-2021-42550
CVSS Score	6.6
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2021-42550
Description	Deserialization of Untrusted Data in logback

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade ch.qos.logback:logback-core to version 1.2.9

CVE-2024-12798 MEDIUM CVSS: 5.0 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	ch.qos.logback:logback-core
Version	1.2.3
Fixed In	1.3.15
CVE ID	CVE-2024-12798
CVSS Score	5.0
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-12798
Description	QOS.CH logback-core Expression Language Injection vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade ch.qos.logback:logback-core to version 1.3.15

CVE-2024-12801 LOW CVSS: 2.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	ch.qos.logback:logback-core
Version	1.2.3
Fixed In	1.3.15
CVE ID	CVE-2024-12801
CVSS Score	2.5
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-12801
Description	QOS.CH logback-core Server-Side Request Forgery vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade ch.qos.logback:logback-core to version 1.3.15

org.yaml:snakeyaml 1.23

3 High5 Medium 8 CVEs

▼

CVE-2022-25857 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.yaml:snakeyaml
Version	1.23
Fixed In	1.31
CVE ID	CVE-2022-25857
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-25857
Description	Uncontrolled Resource Consumption in snakeyaml

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.yaml:snakeyaml to version 1.31

CVE-2022-1471 HIGH CVSS: 8.3 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.yaml:snakeyaml
Version	1.23
Fixed In	2.0
CVE ID	CVE-2022-1471
CVSS Score	8.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Description	SnakeYaml Constructor Deserialization Remote Code Execution

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.yaml:snakeyaml to version 2.0

CVE-2017-18640 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.yaml:snakeyaml
Version	1.23
Fixed In	1.26
CVE ID	CVE-2017-18640
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2017-18640
Description	SnakeYAML Entity Expansion during load operation

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.yaml:snakeyaml to version 1.26

CVE-2022-38751 MEDIUM CVSS: 6.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.yaml:snakeyaml
Version	1.23
Fixed In	1.31
CVE ID	CVE-2022-38751
CVSS Score	6.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-38751
Description	snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.yaml:snakeyaml to version 1.31

CVE-2022-38752 MEDIUM CVSS: 6.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.yaml:snakeyaml
Version	1.23
Fixed In	1.32
CVE ID	CVE-2022-38752
CVSS Score	6.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-38752
Description	snakeYAML before 1.32 vulnerable to Denial of Service due to Out-of-bounds Write

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.yaml:snakeyaml to version 1.32

CVE-2022-38749 MEDIUM CVSS: 6.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.yaml:snakeyaml
Version	1.23
Fixed In	1.31
CVE ID	CVE-2022-38749
CVSS Score	6.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-38749
Description	snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.yaml:snakeyaml to version 1.31

CVE-2022-38750 MEDIUM CVSS: 5.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.yaml:snakeyaml
Version	1.23
Fixed In	1.31
CVE ID	CVE-2022-38750
CVSS Score	5.5
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-38750
Description	snakeYAML before 1.31 vulnerable to Denial of Service due to Out-of-bounds Write

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.yaml:snakeyaml to version 1.31

CVE-2022-41854 MEDIUM CVSS: 6.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.yaml:snakeyaml
Version	1.23
Fixed In	1.32
CVE ID	CVE-2022-41854
CVSS Score	6.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2022-41854
Description	Snakeyaml vulnerable to Stack overflow leading to denial of service

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.yaml:snakeyaml to version 1.32

org.hibernate.validator:hibernate-validator 6.0.14.Final

1 High3 Medium 4 CVEs

▼

CVE-2025-35036 HIGH CVSS: 7.3 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.hibernate.validator:hibernate-validator
Version	6.0.14.Final
Fixed In	6.2.0.CR1
CVE ID	CVE-2025-35036
CVSS Score	7.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-35036
Description	Hibernate Validator may interpolate user-supplied input in a constraint violation message with Expression Language

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.hibernate.validator:hibernate-validator to version 6.2.0.CR1

CVE-2019-10219 MEDIUM CVSS: 6.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.hibernate.validator:hibernate-validator
Version	6.0.14.Final
Fixed In	6.0.18.Final
CVE ID	CVE-2019-10219
CVSS Score	6.5
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2019-10219
Description	The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.hibernate.validator:hibernate-validator to version 6.0.18.Final

CVE-2020-10693 MEDIUM CVSS: 5.3 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.hibernate.validator:hibernate-validator
Version	6.0.14.Final
Fixed In	6.0.20.Final
CVE ID	CVE-2020-10693
CVSS Score	5.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-10693
Description	Improper Input Validation in Hibernate Validator

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.hibernate.validator:hibernate-validator to version 6.0.20.Final

CVE-2023-1932 MEDIUM CVSS: 6.1 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.hibernate.validator:hibernate-validator
Version	6.0.14.Final
Fixed In	6.2.0.Final
CVE ID	CVE-2023-1932
CVSS Score	6.1
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-1932
Description	hibernate-validator Cross-site Scripting vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.hibernate.validator:hibernate-validator to version 6.2.0.Final

net.minidev:json-smart 2.3

1 High1 Medium 2 CVEs

▼

CVE-2023-1370 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	net.minidev:json-smart
Version	2.3
Fixed In	2.4.9
CVE ID	CVE-2023-1370
CVSS Score	7.5
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-1370
Description	json-smart Uncontrolled Recursion vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade net.minidev:json-smart to version 2.4.9

CVE-2021-27568 MEDIUM CVSS: 5.9 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	net.minidev:json-smart
Version	2.3
Fixed In	1.3.2
CVE ID	CVE-2021-27568
CVSS Score	5.9
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2021-27568
Description	Improper Check for Unusual or Exceptional Conditions in json-smart

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade net.minidev:json-smart to version 1.3.2

com.fasterxml.jackson.core:jackson-core 2.9.8

1 High1 Medium 2 CVEs

▼

CVE-2025-52999 HIGH CVSS: 7.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-core
Version	2.9.8
Fixed In	2.15.0
CVE ID	CVE-2025-52999
CVSS Score	7.5
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-52999
Description	jackson-core can throw a StackoverflowError when processing deeply nested data

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.15.0

CVE-2025-49128 MEDIUM CVSS: 4.0 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.fasterxml.jackson.core:jackson-core
Version	2.9.8
Fixed In	2.13.0
CVE ID	CVE-2025-49128
CVSS Score	4.0
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2025-49128
Description	Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.13.0

junit:junit 4.12

1 Medium 1 CVE

▼

CVE-2020-15250 MEDIUM CVSS: 4.4 🔥 IN USE - RISK

📊 Vulnerability Details

Field	Value
Package	junit:junit
Version	4.12
Fixed In	4.13.1
CVE ID	CVE-2020-15250
CVSS Score	4.4
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2020-15250
Description	TemporaryFolder on unix-like systems does not limit access to created files

🔀 Reachability Path

/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/pom.xml:0

SOURCEjunit:junit:4.12 declared

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:3

FLOWuses junit:junit

src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java:4

SINKuses junit:junit

📁 Files Importing

📄 Files using this package
/Users/jyothi/Projects/SAST/uploads/tmp1wypk62q/src/test/java/com/scalesec/vulnado/VulnadoApplicationTests.java

✅ Fix

Upgrade junit:junit to version 4.13.1

org.apache.tomcat.embed:tomcat-embed-websocket 9.0.14

1 Medium 1 CVE

▼

CVE-2024-23672 MEDIUM CVSS: 6.3 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.apache.tomcat.embed:tomcat-embed-websocket
Version	9.0.14
Fixed In	9.0.86
CVE ID	CVE-2024-23672
CVSS Score	6.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-23672
Description	Denial of Service via incomplete cleanup vulnerability in Apache Tomcat

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.apache.tomcat.embed:tomcat-embed-websocket to version 9.0.86

com.jayway.jsonpath:json-path 2.4.0

1 Medium 1 CVE

▼

CVE-2023-51074 MEDIUM CVSS: 5.3 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	com.jayway.jsonpath:json-path
Version	2.4.0
Fixed In	2.9.0
CVE ID	CVE-2023-51074
CVSS Score	5.3
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2023-51074
Description	json-path Out-of-bounds Write vulnerability

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade com.jayway.jsonpath:json-path to version 2.9.0

org.xmlunit:xmlunit-core 2.6.2

1 Low 1 CVE

▼

CVE-2024-31573 LOW CVSS: 2.5 NOT USED IN CODE

📊 Vulnerability Details

Field	Value
Package	org.xmlunit:xmlunit-core
Version	2.6.2
Fixed In	2.10.0
CVE ID	CVE-2024-31573
CVSS Score	2.5
CVSS Vector
NVD Link	https://nvd.nist.gov/vuln/detail/CVE-2024-31573
Description	XMLUnit for Java has Insecure Defaults when Processing XSLT Stylesheets

🔀 Reachability Path

No path data

SINKRequires manual verification

📁 Files Importing

📄 Files using this package

✅ Fix

Upgrade org.xmlunit:xmlunit-core to version 2.10.0