Giters

hygieia / hygieia-publisher-jenkins-plugin

Jenkins Plugin to publish build and pipeline data to Hygieia

Home Page:https://github.com/Hygieia/Hygieia/blob/gh-pages/pages/hygieia/hygieia-jenkins-plugin/hygieia-jenkins-plugin.md

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

WS-2016-7107 (Medium) detected in spring-security-web-4.2.13.RELEASE.jar

mend-bolt-for-github opened this issue · comments

commented

WS-2016-7107 - Medium Severity Vulnerability

Vulnerable Library - spring-security-web-4.2.13.RELEASE.jar

spring-security-web

Library home page: https://spring.io/spring-security

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/4.2.13.RELEASE/spring-security-web-4.2.13.RELEASE.jar

Dependency Hierarchy:

  • core-3.14.17.jar (Root Library)
    • spring-boot-starter-security-1.5.22.RELEASE.jar
      • spring-security-web-4.2.13.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 97ed2b7fe477b78f0b26191e5950825314db7b2c

Found in base branch: master

Vulnerability Details

CSRF tokens in Spring Security are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.

Publish Date: 2016-08-02

URL: WS-2016-7107

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2016-7107

Release Date: 2016-08-02

Fix Resolution (org.springframework.security:spring-security-web): 5.2.14.RELEASE

Direct dependency fix Resolution (com.capitalone.dashboard:core): 4.0.1

Step up your Open Source Security Game with Mend here