Skip to content

[Snyk] Upgrade org.apache.logging.log4j:log4j-core from 2.1 to 2.19.0#4

Open
nirw wants to merge 1 commit into
masterfrom
snyk-upgrade-c071b83bb86f37bce74d317f0fbd7ade
Open

[Snyk] Upgrade org.apache.logging.log4j:log4j-core from 2.1 to 2.19.0#4
nirw wants to merge 1 commit into
masterfrom
snyk-upgrade-c071b83bb86f37bce74d317f0fbd7ade

Conversation

@nirw

@nirw nirw commented Mar 6, 2023

Copy link
Copy Markdown

This PR was automatically created by Snyk using the credentials of a real user.


Snyk has created this PR to upgrade org.apache.logging.log4j:log4j-core from 2.1 to 2.19.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 38 versions ahead of your current version.
  • The recommended version was released 6 months ago, on 2022-09-13.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Arbitrary Code Execution
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339		 651/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.6		 Proof of Concept
Deserialization of Untrusted Data
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-31409		 651/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.6		 Mature
Man-in-the-Middle (MitM)
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761		 651/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.6		 No Known Exploit
Remote Code Execution (RCE)
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720		 651/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.6		 Mature
Remote Code Execution (RCE)
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014		 651/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.6		 Proof of Concept
Denial of Service (DoS)
SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524		 651/1000
Why? Proof of Concept exploit, Has a fix available, CVSS 6.6		 Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

@nirw

nirw commented Mar 6, 2023
edited
Loading

Copy link
Copy Markdown
Author

Logo
Checkmarx One – Scan Summary & Details96eb2938-0b85-489f-9676-70c669c874ff

New Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH CVE-2022-34169 Maven-xalan:xalan-2.7.0 Vulnerable Package
HIGH CVE-2023-24998 Maven-commons-fileupload:commons-fileupload-1.3.1 Vulnerable Package
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/troubles/IntegerOverflowServlet.java: 24 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/troubles/NetworkSocketLeakServlet.java: 27 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/vulnerabilities/XSSServlet.java: 22 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/troubles/LossOfTrailingDigitsServlet.java: 22 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/troubles/RoundOffErrorServlet.java: 22 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/troubles/TruncationErrorServlet.java: 21 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/performance/CreatingUnnecessaryObjectsServlet.java: 21 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/core/servlets/DefaultLoginServlet.java: 86 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/vulnerabilities/VerboseErrorMessageServlet.java: 35 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/vulnerabilities/OpenRedirectServlet.java: 27 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/vulnerabilities/BruteForceServlet.java: 27 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/webapp/dfi/includable.jsp: 28 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/webapp/uid/serverinfo.jsp: 25 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/webapp/uid/clientinfo.jsp: 24 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/webapp/dt/includable.jsp: 24 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/webapp/dfi/includable.jsp: 12 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/webapp/dt/includable.jsp: 12 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/webapp/uid/serverinfo.jsp: 12 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/webapp/uid/clientinfo.jsp: 12 Attack Vector
HIGH Stored_XSS /src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java: 69 Attack Vector
HIGH Stored_XSS /src/main/java/org/t246osslab/easybuggy/troubles/DBConnectionLeakServlet.java: 68 Attack Vector
HIGH Stored_XSS /src/main/java/org/t246osslab/easybuggy/troubles/EndlessWaitingServlet.java: 128 Attack Vector
HIGH Stored_XSS /src/main/java/org/t246osslab/easybuggy/troubles/EndlessWaitingServlet.java: 56 Attack Vector
HIGH Stored_XSS /src/main/java/org/t246osslab/easybuggy/troubles/FileDescriptorLeakServlet.java: 53 Attack Vector
MEDIUM CVE-2012-6153 Maven-commons-httpclient:commons-httpclient-3.1 Vulnerable Package
MEDIUM CVE-2018-1313 Maven-org.apache.derby:derby-10.8.3.0 Vulnerable Package
MEDIUM Cleartext_Submission_of_Sensitive_Information /src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java: 73 Attack Vector
MEDIUM Cleartext_Submission_of_Sensitive_Information /src/main/java/org/t246osslab/easybuggy/troubles/DBConnectionLeakServlet.java: 72 Attack Vector
LOW Heap_Inspection /src/main/java/org/t246osslab/easybuggy/core/utils/ApplicationUtils.java: 44 Attack Vector

Fixed Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH CVE-2017-5645 Maven-org.apache.logging.log4j:log4j-core-2.1 Vulnerable Package
HIGH CVE-2021-44228 Maven-org.apache.logging.log4j:log4j-core-2.1 Vulnerable Package
HIGH CVE-2021-45046 Maven-org.apache.logging.log4j:log4j-core-2.1 Vulnerable Package
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java: 39 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/core/filters/AuthenticationFilter.java: 39 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/core/servlets/DefaultLoginServlet.java: 86 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/vulnerabilities/VerboseErrorMessageServlet.java: 35 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/vulnerabilities/OpenRedirectServlet.java: 27 Attack Vector
HIGH Reflected_XSS_All_Clients /src/main/java/org/t246osslab/easybuggy/vulnerabilities/BruteForceServlet.java: 27 Attack Vector
MEDIUM CVE-2021-44832 Maven-org.apache.logging.log4j:log4j-core-2.1 Vulnerable Package
MEDIUM CVE-2021-45105 Maven-org.apache.logging.log4j:log4j-core-2.1 Vulnerable Package
LOW CVE-2020-9488 Maven-org.apache.logging.log4j:log4j-core-2.1 Vulnerable Package

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nirw @snyk-bot