-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathowasp.suppressions.xml
243 lines (223 loc) · 12.4 KB
/
owasp.suppressions.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<suppress until="2024-05-03Z">
<notes>
<![CDATA[file name: jackson-databind-2.13.5.jar]]>
This vulnerability can cause an OOM error when trying to serialize an object that contains cyclic
dependencies. This is not a legitimate attack vector since the object must be crafted in memory by the
application itself; this can only arise as a result of developer error and would be caught by automated
testing.
</notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<cve>CVE-2023-35116</cve>
</suppress>
<suppress until="2024-05-03Z">
<notes>
<![CDATA[file name: spring-web-5.3.27.jar]]>
This vulnerability relates to parsing untrusted URLs using UriComponentsBuilder. All URLs that we parse
come from trusted sources.
</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
<vulnerabilityName>CVE-2024-22243</vulnerabilityName>
</suppress>
<suppress until="2024-05-03Z">
<notes>
<![CDATA[file name: spring-security-core-5.8.5.jar]]>
We do not use the method in which the vulnerability exists, AuthenticatedVoter#vote.
</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security.*$</packageUrl>
<vulnerabilityName>CVE-2024-22257</vulnerabilityName>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[ file name: spring-security-crypto-5.7.3.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
The method with the vulnerability is deprecated now, but not removed yet, and we do not use it.
https://github.com/spring-projects/spring-security/issues/8980
</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl>
<vulnerabilityName>CVE-2020-5408</vulnerabilityName>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: spring-web-5.3.22.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
The vulnerability is on Spring HTTP Invoker, and it is deprecated by Spring, but not removed yet.
It is not used in our code base and seen as a JVM deserialization issue rather than a Spring one by the Spring team.
It doesn't look like it will be address any time soon, and since we don't use it, it is suppressed as well.
https://docs.spring.io/spring-framework/docs/current/reference/html/integration.html#remoting-httpinvoker
https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525
</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring\-web@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: snakeyaml-1.33.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability is on Snakeyaml's Constructor class, where the advice is to use Snakeyaml's SafeConstructor class instead.
Spring Boot already uses Snakeyaml's SafeConstructor class, and the content of the parsed yaml (application.yml)
is considered trusted.
https://github.com/spring-projects/spring-boot/issues/33457
</notes>
<packageUrl regex="true">^pkg:maven/org\.yaml/snakeyaml@.*$</packageUrl>
<vulnerabilityName>CVE-2022-1471</vulnerabilityName>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: ion-java-1.0.2.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability is a potential denial-of-service attack for applications that use ion-java to deserialize
data encoded using the Ion encoding.
We do not use the Ion format anywhere in this application; this library is only included as a transitive
dependency of the AWS SDK.
</notes>
<packageUrl regex="true">^pkg:maven/software\.amazon\.ion/ion\-java@.*$</packageUrl>
<cve>CVE-2024-21634</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: logback-classic-1.2.12.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This is a serialization vulnerability in logback-receiver. We do not use receivers or have any remote
appenders, so we are not subject to this vulnerability.
</notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback.*$</packageUrl>
<cve>CVE-2023-6378</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: logback-classic-1.2.12.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This is a serialization vulnerability in logback-receiver. We do not use receivers or have any remote
appenders, so we are not subject to this vulnerability.
</notes>
<packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback.*$</packageUrl>
<cve>CVE-2023-6481</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: mysql-connector-j-8.0.33.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability relies on the cooperation of an internal attacker to allow an external actor to take
over a MySQL connection. Any internal attacker with the access required to take part in such an attack
could already do much more significant damage without involving an external actor, making this point moot.
</notes>
<packageUrl regex="true">^pkg:maven/com\.mysql/mysql\-connector\-j@.*$</packageUrl>
<cve>CVE-2023-22102</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: netty-buffer-4.1.92.Final.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This is the well-documented HTTP/2 Rapid Reset attack. Mitigations exist within AWS Shield to detect and
defend against this attack. Even so, the attack would be available only to someone with access to ERO
credentials and significant technical expertise and resource. Given all of the above, the risk of this
attack vector being exploitable is very low.
</notes>
<packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: tomcat-embed-core-9.0.75.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This is the well-documented HTTP/2 Rapid Reset attack. Mitigations exist within AWS Shield to detect and
defend against this attack. Even so, the attack would be available only to someone with access to ERO
credentials and significant technical expertise and resource. Given all of the above, the risk of this
attack vector being exploitable is very low.
</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat.*$</packageUrl>
<cve>CVE-2023-44487</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: reactor-netty-core-1.0.32.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability relates to Reactor Netty's integration with Micrometer, which we do not use.
</notes>
<packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty/reactor\-netty.*$</packageUrl>
<cve>CVE-2023-34054</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: reactor-netty-core-1.0.32.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability only applies to Reactor Netty servers which are configured to serve static resources.
We do not serve static resources. Besides; valid requests are limited to configured API Gateway endpoints.
</notes>
<packageUrl regex="true">^pkg:maven/io\.projectreactor\.netty/reactor\-netty.*$</packageUrl>
<cve>CVE-2023-34062</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: spring-boot-2.7.12.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability has in fact been revoked; perhaps the scanner is not up-to-date.
https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-6091929
</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring\-boot.*$</packageUrl>
<cve>CVE-2023-34055</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: spring-security-config-5.8.5.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability relates to a configuration file having overlay-lax permissions in the server's
filesystem. There are no known exploits taking advantage of this fact.
</notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security.*$</packageUrl>
<cve>CVE-2023-34042</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: tomcat-embed-core-9.0.75.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability is a potential request smuggling attack when a Tomcat server sits behind a reverse
proxy. It is caused by improper validation on HTTP trailer headers. This is mitigated in our architecture
by only allowing specific headers through API Gateway.
</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed.*$</packageUrl>
<cve>CVE-2023-46589</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: tomcat-embed-core-9.0.75.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability only affects servers which use FORM authentication on the default web application. We do
not use FORM authentication.
</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed.*$</packageUrl>
<cve>CVE-2023-41080</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: tomcat-embed-core-9.0.75.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability only affects Windows servers; our servers run in Linux containers.
</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed.*$</packageUrl>
<cve>CVE-2023-42794</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: tomcat-embed-core-9.0.75.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
A bug in Tomcat may sometimes lead to data leaking between requests. This does not appear to be deliberately
exploitable by an attacker.
</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed.*$</packageUrl>
<cve>CVE-2023-42795</cve>
</suppress>
<suppress until="2024-09-21Z">
<notes>
<![CDATA[file name: tomcat-embed-core-9.0.75.jar]]>
This report will be fixed by an upgrade to Spring Boot 3.
This vulnerability is a potential request smuggling attack when a Tomcat server sits behind a reverse
proxy. It is caused by improper validation on HTTP trailer headers. This is mitigated in our architecture
by only allowing specific headers through API Gateway.
</notes>
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed.*$</packageUrl>
<cve>CVE-2023-45648</cve>
</suppress>
</suppressions>