WS-2016-7112 - Medium Severity Vulnerability
Vulnerable Libraries - spring-context-4.1.6.RELEASE.jar, spring-context-3.1.0.RELEASE.jar, spring-context-4.2.7.RELEASE.jar, spring-context-4.0.3.RELEASE.jar, spring-context-4.2.5.RELEASE.jar, spring-context-4.0.9.RELEASE.jar, spring-context-3.2.8.RELEASE.jar, spring-context-4.2.4.RELEASE.jar, spring-context-3.0.5.RELEASE.jar, spring-context-4.1.9.RELEASE.jar
spring-context-4.1.6.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-smoke-tests/play-2.4/play-2.4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.1.6.RELEASE/15f0b22bf89ed468badbc4eec759af2b916d33e4/spring-context-4.1.6.RELEASE.jar
Dependency Hierarchy:
- play-java-ws_2.11-2.4.11.jar (Root Library)
- play-java_2.11-2.4.11.jar
- ❌ spring-context-4.1.6.RELEASE.jar (Vulnerable Library)
spring-context-3.1.0.RELEASE.jar
Spring Framework Parent
Path to dependency file: /dd-java-agent/instrumentation/spring-webmvc-3.1/spring-webmvc-3.1.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/3.1.0.RELEASE/d36e9ab580dccc8311704bc11f2434f230bdec28/spring-context-3.1.0.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/3.1.0.RELEASE/d36e9ab580dccc8311704bc11f2434f230bdec28/spring-context-3.1.0.RELEASE.jar
Dependency Hierarchy:
- spring-jms-3.1.0.RELEASE.jar (Root Library)
- ❌ spring-context-3.1.0.RELEASE.jar (Vulnerable Library)
spring-context-4.2.7.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-smoke-tests/play-2.5/play-2.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.2.7.RELEASE/289f2906943827d37de89240dbac8fe4b315a838/spring-context-4.2.7.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.2.7.RELEASE/289f2906943827d37de89240dbac8fe4b315a838/spring-context-4.2.7.RELEASE.jar
Dependency Hierarchy:
- play-java-ws_2.11-2.5.19.jar (Root Library)
- play-java_2.11-2.5.19.jar
- ❌ spring-context-4.2.7.RELEASE.jar (Vulnerable Library)
spring-context-4.0.3.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/play-2.3/play-2.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.0.3.RELEASE/782a71a312dc307fa531023aa66247b9b4a109d/spring-context-4.0.3.RELEASE.jar
Dependency Hierarchy:
- play-java_2.11-2.3.9.jar (Root Library)
- ❌ spring-context-4.0.3.RELEASE.jar (Vulnerable Library)
spring-context-4.2.5.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-2/transport-2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.2.5.RELEASE/a75e18322c7b362fe1daa26a245ae672ec0f3138/spring-context-4.2.5.RELEASE.jar
Dependency Hierarchy:
- spring-data-elasticsearch-2.0.0.RELEASE.jar (Root Library)
- ❌ spring-context-4.2.5.RELEASE.jar (Vulnerable Library)
spring-context-4.0.9.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-data-1.8/spring-data-1.8.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.0.9.RELEASE/13015a0ff2a9bed4686a0f1d8d85a2ae57034e3a/spring-context-4.0.9.RELEASE.jar
Dependency Hierarchy:
- spring-data-jpa-1.8.0.RELEASE.jar (Root Library)
- ❌ spring-context-4.0.9.RELEASE.jar (Vulnerable Library)
spring-context-3.2.8.RELEASE.jar
Spring Context
Library home page: https://github.com/SpringSource/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/hibernate/core-4.3/core-4.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/3.2.8.RELEASE/7edfc6e4283b549504793682cab1f8c37d9f1890/spring-context-3.2.8.RELEASE.jar
Dependency Hierarchy:
- spring-data-jpa-1.5.1.RELEASE.jar (Root Library)
- ❌ spring-context-3.2.8.RELEASE.jar (Vulnerable Library)
spring-context-4.2.4.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/play-2.4/play-2.4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.2.4.RELEASE/23cd0109e4eafc5629547e3680b0c4031e82efdd/spring-context-4.2.4.RELEASE.jar
Dependency Hierarchy:
- play-java_2.11-2.5.0.jar (Root Library)
- ❌ spring-context-4.2.4.RELEASE.jar (Vulnerable Library)
spring-context-3.0.5.RELEASE.jar
Spring Framework Parent
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/3.0.5.RELEASE/6b05e397566cc7750d2d25f81a7441fe1aeecb75/spring-context-3.0.5.RELEASE.jar
Dependency Hierarchy:
- spring-rabbit-1.1.0.RELEASE.jar (Root Library)
- spring-tx-3.0.5.RELEASE.jar
- ❌ spring-context-3.0.5.RELEASE.jar (Vulnerable Library)
spring-context-4.1.9.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/couchbase-2.0/couchbase-2.0.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.1.9.RELEASE/dc298a04dacbab233c7eceee06b04f69d363404/spring-context-4.1.9.RELEASE.jar
Dependency Hierarchy:
- spring-data-couchbase-2.0.0.RELEASE.jar (Root Library)
- ❌ spring-context-4.1.9.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Vulnerability Details
In Spring Framework, versions 3.0.0.RELEASE through 3.2.17.RELEASE, 4.0.0.RELEASE through 4.2.7.RELEASE and 4.3.0.RELEASE through 4.3.1.RELEASE are vulnerable to Stack-based Buffer Overflow, which allows an authenticated attacker to crash the application when giving CronSequenceGenerator a reversed range in the “minutes” or “hours” fields.
Publish Date: 2021-09-23
URL: WS-2016-7112
CVSS 3 Score Details (4.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2016-07-14
Fix Resolution (org.springframework:spring-context): 3.2.18.RELEASE
Direct dependency fix Resolution (org.springframework:spring-jms): 3.2.18.RELEASE
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (com.typesafe.play:play-java_2.11): 2.3.10
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-elasticsearch): 2.0.3.RELEASE
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-jpa): 1.10.3.RELEASE
Fix Resolution (org.springframework:spring-context): 3.2.18.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-jpa): 1.7.0.RELEASE
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (com.typesafe.play:play-java_2.11): 2.6.0
Fix Resolution (org.springframework:spring-context): 3.2.18.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.4.0.RELEASE
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-couchbase): 2.1.3.RELEASE
⛑️ Automatic Remediation is available for this issue
WS-2016-7112 - Medium Severity Vulnerability
spring-context-4.1.6.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-smoke-tests/play-2.4/play-2.4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.1.6.RELEASE/15f0b22bf89ed468badbc4eec759af2b916d33e4/spring-context-4.1.6.RELEASE.jar
Dependency Hierarchy:
spring-context-3.1.0.RELEASE.jar
Spring Framework Parent
Path to dependency file: /dd-java-agent/instrumentation/spring-webmvc-3.1/spring-webmvc-3.1.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/3.1.0.RELEASE/d36e9ab580dccc8311704bc11f2434f230bdec28/spring-context-3.1.0.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/3.1.0.RELEASE/d36e9ab580dccc8311704bc11f2434f230bdec28/spring-context-3.1.0.RELEASE.jar
Dependency Hierarchy:
spring-context-4.2.7.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-smoke-tests/play-2.5/play-2.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.2.7.RELEASE/289f2906943827d37de89240dbac8fe4b315a838/spring-context-4.2.7.RELEASE.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.2.7.RELEASE/289f2906943827d37de89240dbac8fe4b315a838/spring-context-4.2.7.RELEASE.jar
Dependency Hierarchy:
spring-context-4.0.3.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/play-2.3/play-2.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.0.3.RELEASE/782a71a312dc307fa531023aa66247b9b4a109d/spring-context-4.0.3.RELEASE.jar
Dependency Hierarchy:
spring-context-4.2.5.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/transport-2/transport-2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.2.5.RELEASE/a75e18322c7b362fe1daa26a245ae672ec0f3138/spring-context-4.2.5.RELEASE.jar
Dependency Hierarchy:
spring-context-4.0.9.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/spring-data-1.8/spring-data-1.8.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.0.9.RELEASE/13015a0ff2a9bed4686a0f1d8d85a2ae57034e3a/spring-context-4.0.9.RELEASE.jar
Dependency Hierarchy:
spring-context-3.2.8.RELEASE.jar
Spring Context
Library home page: https://github.com/SpringSource/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/hibernate/core-4.3/core-4.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/3.2.8.RELEASE/7edfc6e4283b549504793682cab1f8c37d9f1890/spring-context-3.2.8.RELEASE.jar
Dependency Hierarchy:
spring-context-4.2.4.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/play-2.4/play-2.4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.2.4.RELEASE/23cd0109e4eafc5629547e3680b0c4031e82efdd/spring-context-4.2.4.RELEASE.jar
Dependency Hierarchy:
spring-context-3.0.5.RELEASE.jar
Spring Framework Parent
Path to dependency file: /dd-java-agent/instrumentation/rabbitmq-amqp-2.7/rabbitmq-amqp-2.7.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/3.0.5.RELEASE/6b05e397566cc7750d2d25f81a7441fe1aeecb75/spring-context-3.0.5.RELEASE.jar
Dependency Hierarchy:
spring-context-4.1.9.RELEASE.jar
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /dd-java-agent/instrumentation/couchbase-2.0/couchbase-2.0.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/4.1.9.RELEASE/dc298a04dacbab233c7eceee06b04f69d363404/spring-context-4.1.9.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
In Spring Framework, versions 3.0.0.RELEASE through 3.2.17.RELEASE, 4.0.0.RELEASE through 4.2.7.RELEASE and 4.3.0.RELEASE through 4.3.1.RELEASE are vulnerable to Stack-based Buffer Overflow, which allows an authenticated attacker to crash the application when giving CronSequenceGenerator a reversed range in the “minutes” or “hours” fields.
Publish Date: 2021-09-23
URL: WS-2016-7112
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2016-07-14
Fix Resolution (org.springframework:spring-context): 3.2.18.RELEASE
Direct dependency fix Resolution (org.springframework:spring-jms): 3.2.18.RELEASE
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (com.typesafe.play:play-java_2.11): 2.3.10
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-elasticsearch): 2.0.3.RELEASE
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-jpa): 1.10.3.RELEASE
Fix Resolution (org.springframework:spring-context): 3.2.18.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-jpa): 1.7.0.RELEASE
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (com.typesafe.play:play-java_2.11): 2.6.0
Fix Resolution (org.springframework:spring-context): 3.2.18.RELEASE
Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 1.4.0.RELEASE
Fix Resolution (org.springframework:spring-context): 4.2.8.RELEASE
Direct dependency fix Resolution (org.springframework.data:spring-data-couchbase): 2.1.3.RELEASE
⛑️ Automatic Remediation is available for this issue