Skip to content

Comments

Vulnerability fix (powered by Mobb Autofixer)#9

Open
eitanMobb wants to merge 2 commits intomainfrom
Mobb-fix-41387-1
Open

Vulnerability fix (powered by Mobb Autofixer)#9
eitanMobb wants to merge 2 commits intomainfrom
Mobb-fix-41387-1

Conversation

@eitanMobb
Copy link
Owner

@eitanMobb eitanMobb commented May 21, 2024

Fix for issues done with the help of Mobb

@eitanMobb
Copy link
Owner Author

eitanMobb commented May 21, 2024

Logo
Checkmarx One – Scan Summary & Details94563542-a949-4d4d-b50c-9583ca1d09b4

New Issues

Severity Issue Source File / Package Checkmarx Insight
HIGH CVE-2013-7285 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2016-10707 Npm-jquery-2.1.4 Vulnerable Package
HIGH CVE-2016-10707 Npm-jquery-1.10.2 Vulnerable Package
HIGH CVE-2016-3674 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2017-7957 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2020-26217 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2020-26258 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21341 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21342 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21343 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21344 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21345 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21346 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21347 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21348 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21349 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21350 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-21351 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-29505 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39139 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39141 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39144 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39145 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39146 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39147 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39148 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39149 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39150 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39151 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39152 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39153 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-39154 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2021-43859 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-1471 Maven-org.yaml:snakeyaml-1.33 Vulnerable Package
HIGH CVE-2022-40152 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2022-41966 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
HIGH CVE-2023-24998 Maven-commons-fileupload:commons-fileupload-1.4 Vulnerable Package
HIGH CVE-2023-34053 Maven-org.springframework:spring-web-6.0.13 Vulnerable Package
HIGH CVE-2023-38286 Maven-org.thymeleaf:thymeleaf-3.1.1.RELEASE Vulnerable Package
HIGH CVE-2023-51775 Maven-org.bitbucket.b_c:jose4j-0.9.3 Vulnerable Package
HIGH CVE-2023-52428 Maven-com.nimbusds:nimbus-jose-jwt-9.24.4 Vulnerable Package
HIGH CVE-2023-5379 Maven-io.undertow:undertow-core-2.3.10.Final Vulnerable Package
HIGH CVE-2023-5685 Maven-org.jboss.xnio:xnio-api-3.8.8.Final Vulnerable Package
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-core-1.4.11 Vulnerable Package
HIGH CVE-2023-6378 Maven-ch.qos.logback:logback-classic-1.4.11 Vulnerable Package
HIGH CVE-2023-6481 Maven-ch.qos.logback:logback-core-1.4.11 Vulnerable Package
HIGH CVE-2024-22201 Maven-org.eclipse.jetty.http2:http2-common-11.0.17 Vulnerable Package
HIGH CVE-2024-22234 Maven-org.springframework.security:spring-security-web-6.1.5 Vulnerable Package
HIGH CVE-2024-22234 Maven-org.springframework.security:spring-security-oauth2-client-6.1.5 Vulnerable Package
HIGH CVE-2024-22234 Maven-org.springframework.security:spring-security-core-6.1.5 Vulnerable Package
HIGH CVE-2024-22243 Maven-org.springframework:spring-web-6.0.13 Vulnerable Package
HIGH CVE-2024-22257 Maven-org.springframework.security:spring-security-core-6.1.5 Vulnerable Package
HIGH CVE-2024-22259 Maven-org.springframework:spring-web-6.0.13 Vulnerable Package
HIGH CVE-2024-22262 Maven-org.springframework:spring-web-6.0.13 Vulnerable Package
HIGH CVE-2024-31573 Maven-org.xmlunit:xmlunit-core-2.9.1 Vulnerable Package
HIGH Missing User Instruction /Dockerfile_desktop: [1](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//Dockerfile_desktop# L1) A user should be specified in the dockerfile, otherwise the image will run as root
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile_desktop: [12](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//Dockerfile_desktop# L12) When installing a package, its pin version should be defined
MEDIUM Apt Get Install Pin Version Not Defined /Dockerfile_desktop: [12](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//Dockerfile_desktop# L12) When installing a package, its pin version should be defined
MEDIUM CVE-2007-2379 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2007-2379 Npm-jquery-3.4.1 Vulnerable Package
MEDIUM CVE-2007-2379 Maven-org.webjars:jquery-3.7.0 Vulnerable Package
MEDIUM CVE-2007-2379 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2014-6071 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2014-6071 Maven-org.webjars:jquery-3.7.0 Vulnerable Package
MEDIUM CVE-2014-6071 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2014-6071 Npm-jquery-3.4.1 Vulnerable Package
MEDIUM CVE-2015-9251 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2015-9251 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2016-7103 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2019-11358 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2019-11358 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2020-11022 Npm-jquery-3.4.1 Vulnerable Package
MEDIUM CVE-2020-11022 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2020-11022 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2020-11023 Npm-jquery-2.1.4 Vulnerable Package
MEDIUM CVE-2020-11023 Npm-jquery-3.4.1 Vulnerable Package
MEDIUM CVE-2020-11023 Npm-jquery-1.10.2 Vulnerable Package
MEDIUM CVE-2020-26259 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
MEDIUM CVE-2021-39140 Maven-com.thoughtworks.xstream:xstream-1.4.5 Vulnerable Package
MEDIUM CVE-2021-41182 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2021-41183 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2021-41184 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2022-31160 Npm-jquery-ui-1.10.4 Vulnerable Package
MEDIUM CVE-2023-34055 Maven-org.springframework.boot:spring-boot-3.1.5 Vulnerable Package
MEDIUM CVE-2023-41329 Maven-com.github.tomakehurst:wiremock-3.0.0-beta-2 Vulnerable Package
MEDIUM CVE-2023-51074 Maven-com.jayway.jsonpath:json-path-2.8.0 Vulnerable Package
MEDIUM CVE-2024-1459 Maven-io.undertow:undertow-core-2.3.10.Final Vulnerable Package
MEDIUM Cxf0b588a3-5c6f Npm-jquery-1.10.2 Vulnerable Package
MEDIUM Cxf0b588a3-5c6f Npm-jquery-2.1.4 Vulnerable Package
LOW APT-GET Missing '-y' To Avoid Manual Input /Dockerfile_desktop: [12](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//Dockerfile_desktop# L12) Check if apt-get calls use the flag -y to avoid user manual input.
LOW Chown Flag Exists /Dockerfile: [12](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//Dockerfile# L12) It is considered a best practice for every executable in a container to be owned by the root user even if it is executed by a non-root user, only e...
LOW Healthcheck Instruction Missing /Dockerfile_desktop: [1](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//Dockerfile_desktop# L1) Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW Healthcheck Instruction Missing /Dockerfile: [1](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//Dockerfile# L1) Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
LOW Unpinned Actions Full Length Commit SHA /release.yml: [43](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/release.yml# L43) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release.yml: [77](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/release.yml# L77) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release.yml: [137](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/release.yml# L137) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /test.yml: [45](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/test.yml# L45) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /pre-commit.yaml: [26](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/pre-commit.yaml# L26) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /test.yml: [64](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/test.yml# L64) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /test.yml: [56](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/test.yml# L56) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release.yml: [104](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/release.yml# L104) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release.yml: [145](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/release.yml# L145) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release.yml: [82](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/release.yml# L82) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release.yml: [85](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/release.yml# L85) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /release.yml: [91](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/release.yml# L91) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
LOW Unpinned Actions Full Length Commit SHA /pre-commit.yaml: [28](https://github.com/eitanMobb/WebGoat/blob/Mobb-fix-41387-1//.github/workflows/pre-commit.yaml# L28) Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eitanMobb