Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Upgrade: com.fasterxml.jackson.core:jackson-databind, org.apache.logging.log4j:log4j-core, org.springframework:spring-core #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Upgrade: com.fasterxml.jackson.core:jackson-databind, org.apache.logging.log4j:log4j-core, org.springframework:spring-core #4

wants to merge 1 commit into from

Conversation

karencapiiro
Copy link

snyk-top-banner

Snyk has created this PR to upgrade multiple dependencies.

👯‍♂ The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name Versions Released on

com.fasterxml.jackson.core:jackson-databind
from 2.12.4 to 2.17.2 | 41 versions ahead of your current version | 2 months ago
on 2024-07-05
org.apache.logging.log4j:log4j-core
from 2.14.0 to 2.23.1 | 15 versions ahead of your current version | 6 months ago
on 2024-03-06
org.springframework:spring-core
from 5.3.0 to 5.3.39 | 39 versions ahead of your current version | a month ago
on 2024-08-14

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244		 134 No Known Exploit
high severity Denial of Service (DoS)
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524		 134 Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698		 134 No Known Exploit
medium severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424		 134 Proof of Concept
critical severity Remote Code Execution (RCE)
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720		 134 Mature
critical severity Remote Code Execution (RCE)
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014		 134 Mature
high severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538		 134 No Known Exploit
medium severity Arbitrary Code Execution
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339		 134 Proof of Concept
medium severity Denial of Service (DoS)
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426		 134 Proof of Concept
medium severity Improper Output Neutralization for Logs
SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097		 134 No Known Exploit
medium severity Improper Input Validation
SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878		 134 No Known Exploit

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade multiple dependencies with Snyk
66247ce 
Snyk has created this PR to upgrade:
  - com.fasterxml.jackson.core:jackson-databind from 2.12.4 to 2.17.2.
    See this package in maven: https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/
  - org.apache.logging.log4j:log4j-core from 2.14.0 to 2.23.1.
    See this package in maven: https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/
  - org.springframework:spring-core from 5.3.0 to 5.3.39.
    See this package in maven: https://mvnrepository.com/artifact/org.springframework/spring-core/

See this project in Snyk:
https://app.snyk.io/org/apiiro-snyk/project/4849ce7d-ae80-4020-b605-008462971835?utm_source=github&utm_medium=referral&page=upgrade-pr
@socket-security Socket Security
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
maven/com.fasterxml.jackson.core/jackson-databind@2.17.2 eval, filesystem, network, unsafe Transitive: environment, shell +12 27.3 MB
maven/org.apache.logging.log4j/log4j-core@2.23.1 environment, eval, filesystem, network, unsafe 0 4.19 MB
maven/org.springframework/spring-core@5.3.39 environment, eval, filesystem, network, unsafe +1 3.16 MB
npm/decode-uri-component@0.2.0 None 0 5.71 kB samverschueren
npm/decomment@0.9.5 None 0 21.3 kB vitaly.tomilov
npm/decompress-tar@4.1.1 Transitive: filesystem +3 87.5 kB kevva
npm/decompress-tarbz2@4.1.1 None +1 22.9 kB kevva
npm/decompress-targz@4.1.1 None 0 3.22 kB kevva
npm/decompress-unzip@4.0.1 None 0 4.2 kB kevva
npm/decompress@4.2.1 None 0 8.12 kB sindresorhus

🚮 Removed packages: maven/com.fasterxml.jackson.core/jackson-databind@2.12.4, maven/org.apache.logging.log4j/log4j-core@2.14.0, maven/org.springframework/spring-core@5.3.0

View full report↗︎

@rafikmojr
Copy link
Collaborator

Logo
Checkmarx One – Scan Summary & Detailsb9acd4de-4766-4f87-b81e-92bb376a1c4a

New Issues

Severity Issue Source File / Package Checkmarx Insight
CRITICAL CVE-2024-42005 Python-Django-1.2 Vulnerable Package
CRITICAL Cx9eb96c9b-eb45 Npm-angular-mocks-1.8-1.8.2 Vulnerable Package
CRITICAL Cxcf770dcb-fd21 Npm-angular-1.8-1.8.2 Vulnerable Package
HIGH CVE-2024-27351 Python-Django-1.2 Vulnerable Package
HIGH CVE-2024-29180 Npm-webpack-dev-middleware-5.2.1 Vulnerable Package
HIGH CVE-2024-29415 Npm-ip-1.1.5 Vulnerable Package
HIGH CVE-2024-37890 Npm-ws-7.5.6 Vulnerable Package
HIGH CVE-2024-37890 Npm-ws-7.4.6 Vulnerable Package
HIGH CVE-2024-37890 Npm-ws-8.2.3 Vulnerable Package
HIGH CVE-2024-37890 Npm-ws-8.3.0 Vulnerable Package
HIGH CVE-2024-38355 Npm-socket.io-4.4.0 Vulnerable Package
HIGH CVE-2024-38875 Python-Django-1.2 Vulnerable Package
HIGH CVE-2024-39330 Python-Django-1.2 Vulnerable Package
HIGH CVE-2024-39614 Python-Django-1.2 Vulnerable Package
HIGH CVE-2024-4068 Npm-braces-2.3.2 Vulnerable Package
HIGH CVE-2024-4068 Npm-braces-3.0.2 Vulnerable Package
HIGH CVE-2024-41989 Python-Django-1.2 Vulnerable Package
HIGH CVE-2024-41990 Python-Django-1.2 Vulnerable Package
HIGH CVE-2024-41991 Python-Django-1.2 Vulnerable Package
HIGH CVE-2024-45296 Npm-path-to-regexp-1.8.0 Vulnerable Package
HIGH CVE-2024-45296 Npm-path-to-regexp-0.1.7 Vulnerable Package
HIGH CVE-2024-45590 Npm-body-parser-1.19.0 Vulnerable Package
HIGH Cx37f28a21-b2a7 Npm-angular-1.8-1.8.2 Vulnerable Package
HIGH Cx94a5c81d-63b1 Npm-angular-1.8-1.8.2 Vulnerable Package
HIGH Sensitive Port Is Exposed To Entire Network /ec2.tf: 83 A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
HIGH Sensitive Port Is Exposed To Entire Network /ec2.tf: 83 A sensitive port, such as port 23 or port 110, is open for the whole network in either TCP or UDP protocol
MEDIUM CVE-2024-28849 Npm-follow-redirects-1.14.6 Vulnerable Package
MEDIUM CVE-2024-28863 Npm-tar-4.4.19 Vulnerable Package
MEDIUM CVE-2024-28863 Npm-tar-6.1.11 Vulnerable Package
MEDIUM CVE-2024-29041 Npm-express-4.17.1 Vulnerable Package
MEDIUM CVE-2024-37168 Npm-@grpc/grpc-js-1.4.4 Vulnerable Package
MEDIUM CVE-2024-38999 Npm-requirejs-2.3.6 Vulnerable Package
MEDIUM CVE-2024-39329 Python-Django-1.2 Vulnerable Package
MEDIUM CVE-2024-4067 Npm-micromatch-4.0.4 Vulnerable Package
MEDIUM CVE-2024-4067 Npm-micromatch-3.1.10 Vulnerable Package
MEDIUM CVE-2024-43788 Npm-webpack-5.64.1 Vulnerable Package
MEDIUM CVE-2024-43796 Npm-express-4.17.1 Vulnerable Package
MEDIUM CVE-2024-43799 Npm-send-0.17.1 Vulnerable Package
MEDIUM CVE-2024-43800 Npm-serve-static-1.14.1 Vulnerable Package
LOW CVE-2024-4128 Npm-firebase-tools-9.23.1 Vulnerable Package
LOW IAM Access Analyzer Not Enabled /security_center.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /ec2.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /gcs.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /application_gateway.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /networks.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /elb.tf: 2 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /es.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /neptune.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /ecr.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /logging.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /roles.tf: 3 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /kms.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /app_service.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /db-app.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /compartment.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /resource_group.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /networking.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /gke.tf: 6 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /storage.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /instances.tf: 3 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /s3.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /sql.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /rds.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /big_data.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /policies.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /eks.tf: 18 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /lambda.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /bucket.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /instance.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /trail.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /mssql.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /iam.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /random.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /rds.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /key_vault.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /aks.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions

Fixed Issues

Severity Issue Source File / Package
HIGH CVE-2020-36518 Maven-com.fasterxml.jackson.core:jackson-databind-2.12.4
HIGH CVE-2021-44228 Maven-org.apache.logging.log4j:log4j-core-2.14.0
HIGH CVE-2021-45046 Maven-org.apache.logging.log4j:log4j-core-2.14.0
HIGH CVE-2021-46877 Maven-com.fasterxml.jackson.core:jackson-databind-2.12.4
HIGH CVE-2022-42003 Maven-com.fasterxml.jackson.core:jackson-databind-2.12.4
HIGH CVE-2022-42004 Maven-com.fasterxml.jackson.core:jackson-databind-2.12.4
HIGH Cx37f28a21-b2a7 Npm-angular-1.8-1.8.2
HIGH Cx94a5c81d-63b1 Npm-angular-1.8-1.8.2
HIGH Cx9eb96c9b-eb45 Npm-angular-mocks-1.8-1.8.2
HIGH Cxab55612e-3a56 Npm-braces-3.0.2
HIGH Cxab55612e-3a56 Npm-braces-2.3.2
HIGH Cxca84a1c2-1f12 Npm-micromatch-3.1.10
HIGH Cxca84a1c2-1f12 Npm-micromatch-4.0.4
HIGH Cxcf770dcb-fd21 Npm-angular-1.8-1.8.2
HIGH S3 Bucket SSE Disabled /ec2.tf: 271
HIGH S3 Bucket SSE Disabled /s3.tf: 89
HIGH S3 Bucket SSE Disabled /s3.tf: 1
HIGH S3 Bucket SSE Disabled /s3.tf: 65
HIGH S3 Bucket SSE Disabled /s3.tf: 42
HIGH S3 Bucket Without Enabled MFA Delete /ec2.tf: 271
HIGH S3 Bucket Without Enabled MFA Delete /s3.tf: 1
HIGH S3 Bucket Without Enabled MFA Delete /s3.tf: 42
MEDIUM CVE-2007-2379 Npm-jquery-3.6.0
MEDIUM CVE-2014-6071 Npm-jquery-3.6.0
MEDIUM CVE-2021-22060 Maven-org.springframework:spring-core-5.3.0
MEDIUM CVE-2021-22096 Maven-org.springframework:spring-core-5.3.0
MEDIUM CVE-2021-44832 Maven-org.apache.logging.log4j:log4j-core-2.14.0
MEDIUM CVE-2021-45105 Maven-org.apache.logging.log4j:log4j-core-2.14.0
MEDIUM CVE-2022-22950 Maven-org.springframework:spring-core-5.3.0
MEDIUM CVE-2022-22970 Maven-org.springframework:spring-core-5.3.0
MEDIUM CVE-2022-22971 Maven-org.springframework:spring-core-5.3.0
MEDIUM Cxced0c06c-935c Maven-com.fasterxml.jackson.core:jackson-databind-2.12.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@karencapiiro @rafikmojr @snyk-bot