CVE-2019-17563 (High) detected in multiple libraries - autoclosed

## CVE-2019-17563 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Libraries - tomcat-embed-core-7.0.0.jar, tomcat-embed-core-7.0.37.jar, tomcat-embed-core-8.5.35.jar, tomcat-embed-core-8.5.34.jar</summary>


<details><summary>tomcat-embed-core-7.0.0.jar</summary>

Core Tomcat implementation
Path to dependency file: /dd-java-agent/instrumentation/java-concurrent/lambda-testing/lambda-testing.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar,/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.0/a5d50d1a993f78091f62d1b4afcd553fe7295ebb/tomcat-embed-core-7.0.0.jar


Dependency Hierarchy:
 - :x: **tomcat-embed-core-7.0.0.jar** (Vulnerable Library)
</details>
<details><summary>tomcat-embed-core-7.0.37.jar</summary>

Core Tomcat implementation
Library home page: <a href="http://tomcat.apache.org/">http://tomcat.apache.org/</a>
Path to dependency file: /dd-java-agent/instrumentation/jsp-2.3/jsp-2.3.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.37/13754cedeae4b94451b4563111fad71dab9ae619/tomcat-embed-core-7.0.37.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/7.0.37/13754cedeae4b94451b4563111fad71dab9ae619/tomcat-embed-core-7.0.37.jar


Dependency Hierarchy:
 - :x: **tomcat-embed-core-7.0.37.jar** (Vulnerable Library)
</details>
<details><summary>tomcat-embed-core-8.5.35.jar</summary>

Core Tomcat implementation
Path to dependency file: /dd-smoke-tests/springboot/springboot.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.35/9c459829e1aa72669203dbbf6648dc3b6314644c/tomcat-embed-core-8.5.35.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.35/9c459829e1aa72669203dbbf6648dc3b6314644c/tomcat-embed-core-8.5.35.jar


Dependency Hierarchy:
 - spring-boot-starter-web-1.5.18.RELEASE.jar (Root Library)
 - spring-boot-starter-tomcat-1.5.18.RELEASE.jar
 - :x: **tomcat-embed-core-8.5.35.jar** (Vulnerable Library)
</details>
<details><summary>tomcat-embed-core-8.5.34.jar</summary>

Core Tomcat implementation
Library home page: <a href="https://tomcat.apache.org/">https://tomcat.apache.org/</a>
Path to dependency file: /dd-java-agent/instrumentation/spring-webmvc-3.1/spring-webmvc-3.1.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/8.5.34/a038040d68a90397f95dd1e11b979fe364a5000f/tomcat-embed-core-8.5.34.jar


Dependency Hierarchy:
 - spring-boot-starter-web-1.5.17.RELEASE.jar (Root Library)
 - spring-boot-starter-tomcat-1.5.17.RELEASE.jar
 - :x: **tomcat-embed-core-8.5.34.jar** (Vulnerable Library)
</details>

Found in HEAD commit: <a href="https://github.com/KDWSS/dd-trace-java/commit/2819174635979a19573ec0ce8e3e2b63a3848079">2819174635979a19573ec0ce8e3e2b63a3848079</a>
Found in base branch: master

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> Vulnerability Details</summary>
 
 
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Publish Date: 2019-12-23
URL: <a href=https://www.mend.io/vulnerability-database/CVE-2019-17563>CVE-2019-17563</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (7.5)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: High
 - Privileges Required: None
 - User Interaction: Required
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: High
 - Integrity Impact: High
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563</a>
Release Date: 2019-12-23
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.50
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASEFix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.50
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE


</details>


***
:rescue_worker_helmet: Automatic Remediation is available for this issue

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2019-17563 (High) detected in multiple libraries - autoclosed #123

CVE-2019-17563 - High Severity Vulnerability

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CVE-2019-17563 (High) detected in multiple libraries - autoclosed #123

Description

CVE-2019-17563 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions