[Snyk] Security upgrade com.google.http-client:google-http-client from 1.42.3 to 1.46.2

[lgrill-pentaho]

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• assemblies/pentaho-war/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Information Exposure SNYK-JAVA-COMMONSCODEC-561518	40	com.google.http-client:google-http-client: 1.42.3 -> 1.46.2 No Known Exploit
	Creation of Temporary File in Directory with Insecure Permissions SNYK-JAVA-COMGOOGLEGUAVA-5710356	30	com.google.http-client:google-http-client: 1.42.3 -> 1.46.2 No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Creation of Temporary File in Directory with Insecure Permissions

[hitachivantarasonarqube]

Analysis Details

0 Issues

• 0 Bugs
• 0 Vulnerabilities
• 0 Code Smells

Coverage and Duplications

• No coverage information (0.00% Estimated after merge)
• 0.00% Duplicated Code (21.00% Estimated after merge)

Project ID: pentaho:pentaho-platform-ce-parent

View in SonarQube

[buildguy]

✅ Build finished in 11m 20s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
assemblies/pentaho-war

---

❗ No tests found!

ℹ️ This is an automatic message

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2021-3711
Critical	org.apache.jackrabbit:jackrabbit-core:2.21.19 pentaho:pentaho-platform-repository:10.3.0.0-SNAPSHOT pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.apache.tika:tika-core 2.4.1	[3.2.2]	CVE-2025-66516
Critical	org.apache.tomcat:tomcat-catalina:9.0.106 pentaho:pentaho-tomcat-logs:10.3.0.0-SNAPSHOT	org.apache.tomcat:tomcat-catalina 9.0.106	[10.1.45] [11.0.11] [9.0.109]	CVE-2025-55754
Critical	org.springframework:spring-web:5.3.39 pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.springframework:spring-web 5.3.39	[6.0.0]	CVE-2016-1000027
High	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	[8.0.13]	CVE-2018-3258
High	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	[5.1.41]	CVE-2017-3523
High	org.apache.tomcat:tomcat-catalina:9.0.106 pentaho:pentaho-tomcat-logs:10.3.0.0-SNAPSHOT	org.apache.tomcat:tomcat-coyote 9.0.106	[10.1.44] [11.0.10] [9.0.108]	CVE-2025-48989
High	org.apache.tomcat:tomcat-catalina:9.0.106 pentaho:pentaho-tomcat-logs:10.3.0.0-SNAPSHOT	org.apache.tomcat:tomcat-coyote 9.0.106	[10.1.43] [11.0.9] [9.0.107]	CVE-2025-53506
High	pentaho:pentaho-tomcat-logs:10.3.0.0-SNAPSHOT org.apache.tomcat:tomcat-catalina:9.0.106	org.apache.tomcat:tomcat-util 9.0.106	[9.0.107]	CVE-2025-52434
High	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2021-3712
High	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2021-3450
High	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2021-3449
High	org.ini4j:ini4j:0.5.4 pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.ini4j:ini4j 0.5.4	-	CVE-2022-41404
High	org.hibernate:hibernate-core:5.4.24.Final pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.hibernate:hibernate-core 5.4.24.Final	-	CVE-2026-0603
High	org.apache.tomcat:tomcat-catalina:9.0.106 pentaho:pentaho-tomcat-logs:10.3.0.0-SNAPSHOT	org.apache.tomcat:tomcat-catalina 9.0.106	[10.1.45] [11.0.11] [9.0.109]	CVE-2025-55752
High	org.springframework:spring-core:5.3.39 pentaho-kettle:kettle-core:10.3.0.0-SNAPSHOT org.springframework:spring-context-support:5.3.39	org.springframework:spring-core 5.3.39	[6.2.11]	CVE-2025-41249
High	org.pentaho:pentaho-hadoop-shims-common-mapreduce:10.3.0.0-SNAPSHOT	io.netty:netty-codec 4.1.118.Final	[4.1.125.Final]	CVE-2025-58057
High	com.sun.mail:javax.mail:1.6.1	com.sun.mail:javax.mail 1.6.1	-	CVE-2025-7962
High	org.apache.tomcat:tomcat-catalina:9.0.106 pentaho:pentaho-tomcat-logs:10.3.0.0-SNAPSHOT	org.apache.tomcat:tomcat-catalina 9.0.106	[10.1.43] [11.0.9] [9.0.107]	CVE-2025-52520
High	commons-fileupload:commons-fileupload:1.5 pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	commons-fileupload:commons-fileupload 1.5	[1.6.0]	CVE-2025-48976
High	org.apache.kafka:kafka-clients:3.4.0	org.apache.kafka:kafka-clients 3.4.0	[3.9.1]	CVE-2025-27817
High	org.hibernate:hibernate-validator:5.4.3.Final pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.hibernate:hibernate-validator 5.4.3.Final	[6.2.0.CR1] [7.0.0.CR1]	CVE-2025-35036
High	org.springframework.security:spring-security-crypto:5.8.16 pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.springframework.security:spring-security-crypto 5.8.16	[5.7.16] [5.8.18] [6.0.16] [6.1.14] [6.2.10] [6.3.8] [6.4.4]	CVE-2025-22228
High	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2020-1967
High	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2023-22102
Medium	org.hibernate:hibernate-validator:5.4.3.Final pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.hibernate:hibernate-validator 5.4.3.Final	[6.0.20.Final] [6.1.5.Final]	CVE-2020-10693
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	[5.1.49] [8.0.15]	CVE-2020-2875
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	[5.1.49] [8.0.21]	CVE-2020-2934
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	[5.1.35]	CVE-2015-2575
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	[5.1.42]	CVE-2017-3586
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	[8.0.16]	CVE-2019-2692
Medium	org.apache.jackrabbit:jackrabbit-jcr-commons:2.21.19 pentaho:pentaho-platform-repository:10.3.0.0-SNAPSHOT pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.apache.jackrabbit:jackrabbit-jcr-commons 2.21.19	[2.22.2]	CVE-2025-58782
Medium	org.apache.jackrabbit:jackrabbit-core:2.21.19 pentaho:pentaho-platform-repository:10.3.0.0-SNAPSHOT pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.apache.jackrabbit:jackrabbit-core 2.21.19	[2.22.2]	CVE-2025-58782
Medium	org.apache.poi:poi-ooxml:5.2.5 pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.apache.poi:poi-ooxml 5.2.5	[5.4.0]	CVE-2025-31672
Medium	org.apache.kafka:kafka-clients:3.4.0	org.apache.kafka:kafka-clients 3.4.0	[3.7.1]	CVE-2024-31141
Medium	org.hibernate:hibernate-validator:5.4.3.Final pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.hibernate:hibernate-validator 5.4.3.Final	[6.2.0.Final]	CVE-2023-1932
Medium	org.springframework:spring-web:5.3.39 pentaho:pentaho-platform-extensions:10.3.0.0-SNAPSHOT	org.springframework:spring-web 5.3.39	[6.1.14]	CVE-2024-38820
Medium	org.springframework:spring-context:5.3.39 org.springframework:spring-context-support:5.3.39	org.springframework:spring-context 5.3.39	[6.1.14]	CVE-2024-38820
Medium	org.gwtproject:gwt-dev:2.10.0 pentaho:pentaho-user-console:10.3.0.0-SNAPSHOT-gwt	org.eclipse.jetty:jetty-http 9.4.57.v20241219	[12.0.12]	CVE-2024-6763
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2023-21971
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2021-44531
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2021-44532
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2021-44533
Medium	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	[8.0.28]	CVE-2022-21363
Low	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2020-2933
Low	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	[5.1.42]	CVE-2017-3589
Low	org.apache.tomcat:tomcat-catalina:9.0.106 pentaho:pentaho-tomcat-logs:10.3.0.0-SNAPSHOT	org.apache.tomcat:tomcat-catalina 9.0.106	[10.1.47] [11.0.12] [9.0.110]	CVE-2025-61795
Low	org.springframework:spring-context:5.3.39 org.springframework:spring-context-support:5.3.39	org.springframework:spring-context 5.3.39	[6.1.20] [6.2.7]	CVE-2025-22233
Low	mysql:mysql-connector-java:5.1.17	mysql:mysql-connector-java 5.1.17	-	CVE-2022-21824

🔬 Research Details

[ CVE-2021-3711 ] mysql:mysql-connector-java 5.1.17

Description:
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

[ CVE-2025-66516 ] org.apache.tika:tika-core 2.4.1

Description:
This CVE fixes the same issue as CVE-2025-54988, however - the fix provided in CVE-2025-54988 was incomplete.

The Apache Tika toolkit detects and extracts metadata and text from over a thousand different file types (such as PPT, XLS, and PDF).

An XML External Entity (XXE) attack occurs when an XML parser, configured to process external entities, processes XML input containing references to external entities that an attacker controls.

An attacker can craft a malicious XFA file (containing the XML) that exploits this to achieve an XXE attack, leading to a potential information disclosure and a denial of service (DoS), by embedding the malicious XML into a PDF file that will be processed by a server which uses Apache Tika.

For example, if it parses an external XML file supplied by the attacker as follows:

<?xml version="1.0"?>
<!DOCTYPE foo [
  <ENTITY local_file_content SYSTEM "file://etc/passwd">
]>
<git-manifest>
  <repo name="myproject" path="."/>
  <description>Sensitive info: &local_file_content;</description>
</git-manifest>

In this case, the attacker defines an external entity pointing to a local file on the server using the file:// URI scheme, which lets them see the content of a sensitive file directly from the server's local filesystem (assuming the attacker can leak the resulting XML file).

Similarly, the attacker can also achieve a Server-Side Request Forgery (SSRF) by using external entities pointing to internal server resources, and a denial of service (DoS) by leveraging the XML parser's need to expand nested entities recursively in order to exhaust the server's memory.

The vulnerability is within the code that creates a new SAXTransformerFactory instance. The key issue is that the standard newInstance() method that was used sets the default configuration of the underlying Java XML parser, allowing a potential XXE attack.

The fix replaced it with the XMLReaderUtils.getSAXTransformerFactory() method that was added to th...

Remediation:

Development mitigations

Before passing the candidate PDF file to Apache Tika (e.g., tika.parseToString), reject all files that contain the <!ENTITY substring -

if (pdfRawStr.contains("<!ENTITY")) {
    return ERROR_NO_DTD_ALLOWED;
}

[ CVE-2025-55754 ] org.apache.tomcat:tomcat-catalina 9.0.106

Description:
Apache Tomcat is an open source implementation of multiple parts of the Jakarta EE platform (Which is the evolution of the Java EE platform). Tomcat acts as a Java HTTP web application server, although it is not a full JEE application server.
Apache Tomcat offers different logging handlers under JULI, which is a a packaged, renamed fork of Apache Commons Logging.

The format() method in the JdkLoggerFormatter and OneLineFormatter classes used by the logging handler does not escape ANSI escape sequences, which may lead to the manipulation of the logging messages displayed on the console or clipboard.

A potential attacker could exploit the vulnerability to trick a user reviewing the logs into running unsafe commands by disguising their malicious instructions as invisible or legitimate Tomcat logging messages. The user would still have to manually run a command in the prompt.

The vulnerability has been proven to be exploitable when running Tomcat on the Windows operating system while reviewing Tomcat logs in a command prompt. Other operating systems have not been proven to be affected.

The vulnerable formatters can be used in one of the following ways:

1. Directly in code by using java.org.apache.juli.OneLineFormatter or java.org.apache.juli.JdkLoggerFormatter.

2. Configured as formatters in the logging.properties files usually located in the /conf directory of Apache Tomcat.

3. Configured inside of the CATALINA_OPTS environmental variable.

[ CVE-2016-1000027 ] org.springframework:spring-web 5.3.39

Description:
Spring-based applications that export service beans as endpoints using classes that extend the RemoteInvocationSerializingExporter class are vulnerable to Java deserialization attacks which could lead to RCE (Remote Code Execution). As of 2016, this vulnerability is still not fixed, as the Pivotal team (the maintainers of the Spring framework) disputed it as a security vulnerability in Spring itself and decided not to issue a fix. Instead, they deprecated HttpInvokerServiceExporter and SimpleHttpInvokerServiceExporter, the potentially vulnerable exporter classes that extend RemoteInvocationSerializingExporter and warned application developers not to use them when exposed to untrusted user input (see "WARNING" in the documentation). Applications that do not use the above classes can safely ignore this vulnerability.

Remediation:

Deployment mitigations

Do not use Java serialization for external endpoints (Do not extend the RemoteInvocationSerializingExporter class)

[ CVE-2018-3258 ] mysql:mysql-connector-java 5.1.17

Description:
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

[ CVE-2017-3523 ] mysql:mysql-connector-java 5.1.17

Description:
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

[ CVE-2025-48989 ] org.apache.tomcat:tomcat-coyote 9.0.106

Description:
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.

Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

[ CVE-2025-53506 ] org.apache.tomcat:tomcat-coyote 9.0.106

Description:
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

[ CVE-2025-52434 ] org.apache.tomcat:tomcat-util 9.0.106

Description:
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.

This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions
may also be affected.

Users are recommended to upgrade to version 9.0.107, which fixes the issue.

[ CVE-2021-3712 ] mysql:mysql-connector-java 5.1.17

Description:
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory content...

[ CVE-2021-3450 ] mysql:mysql-connector-java 5.1.17

Description:
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

[ CVE-2021-3449 ] mysql:mysql-connector-java 5.1.17

Description:
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

[ CVE-2022-41404 ] org.ini4j:ini4j 0.5.4

Description:
An issue in the fetch() method in the BasicProfile class of org.ini4j through version v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

[ CVE-2026-0603 ] org.hibernate:hibernate-core 5.4.24.Final

Description:
Hibernate ORM is a powerful object/relational mapping solution for Java, which allows developing persistence logic for applications, libraries, and frameworks.

[ CVE-2025-55752 ] org.apache.tomcat:tomcat-catalina 9.0.106

Description:
Apache Tomcat is an open source implementation of multiple parts of the Jakarta EE platform (Which is the evolution of the Java EE platform). Tomcat acts as a Java HTTP web application server, although it is not a full JEE application server.
Apache Tomcat offers the rewrite valve functionality for rewriting urls on the fly, mapping them to locations in the filesystem or to other urls.

When the server receives a request by the user for a certain url, that request is passed to the rewrite rule. The rewritten url then should, in theory, be properly sanitized and checked - but the logical flaw in Tomcat caused these checks to be bypassed, allowing attackers to send a malicious url that isn't caught by Tomcat's sanitization.

A server is vulnerable under the following conditions:

1. The server enables rewrite rules in the server configuration. This means enabling it in the server.xml file as such:

<Host name="localhost"...>
  <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
</Host>

Or enabling it for a specific webapp in some context.xml file:

<Context>
  <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
</Context>

2. The server is configured with a vulnerable rewrite rule in rewrite.config. A rule is vulnerable when it allows users to control query parameters, for example -

RewriteRule ^/api/(.*)$ /handler.jsp?path=$1

(in this case, the path parameter is user-controlled)

Under these conditions, arbitrary file read is possible.

When PUT requests are enabled for the server, exploitation also leads to arbitrary file write, which immediately leads to remote code execution. In this case, an attacker could use the path traversal bug to insert a malicious .jsp file into the server's filesystem, and then use the same path traversal bug to navigate to its url which we trigger the malicious code.

To enable PUT requests for Tomca...

Remediation:

Development mitigations

Disable rewrite valve if it's not necessary, by removing the relevant:

<Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />

From Context or Host.

Development mitigations

Remove vulnerable rewrite rules that make use of query parameters in the output.

[ CVE-2025-41249 ] org.springframework:spring-core 5.3.39

Description:
The Spring Framework is a widely used Java-based application framework that provides infrastructure support for the development of enterprise-level Java applications.
Spring Security's @EnableMethodSecurity is an annotation used to enable method-level security in a Spring application. It allows you to apply security constraints directly on methods (which represent web application endpoints) using annotations such as: @PreAuthorize, @PostAuthorize and more.

The core of the vulnerability lies in how the Spring Framework's MergedAnnotations API resolves annotations on methods within a type hierarchy that uses unresolved generics. For example, if a method with a security annotation is defined in a generic interface or superclass, and its child class or interface doesn't explicitly resolve the generic type, the Spring Framework might fail to detect the annotation.

The most significant impact of this vulnerability is the potential for authorization bypass in applications that use Spring Security's @EnableMethodSecurity feature. If an application's security is based on annotations and methods in a generic class hierarchy, this flaw could cause the security check to be incorrectly skipped.

For example, a developer might place a security annotation like @PreAuthorize on a method within a generic superclass. Due to the vulnerability, a call to the overridden method in a child class could bypass the security check, allowing an unauthorized user to execute the method's logic. This can lead to a denial of service or, in a worst-case scenario, authorization bypass.

Vulnerable code example:

import org.springframework.security.access.prepost.PreAuthorize;

// 1. Generic Superinterface with a security annotation
public interface GenericService<T> {

    @PreAuthorize("hasRole('ADMIN')")
    void performAction(T data);
}

// This class implements the generic interface but leaves the generic type unresolved.
public class ChildService<T> implements GenericService<...

**Remediation:**
##### Development mitigations

Do not use security annotations on methods in generic superclasses or generic interfaces. Define the security annotations directly on the child class. Other security annotations are not vulnerable.

</details>

<details>
<summary> <b>[ CVE-2025-58057 ] io.netty:netty-codec 4.1.118.Final</b> </summary>
<br>


**Description:**
[Netty](https://netty.io) is an asynchronous event-driven framework for developing client and server Java applications.

The `netty` framework offers the [io.netty.handler.codec.compression](https://netty.io/4.1/api/io/netty/handler/codec/compression/package-summary.html). This package allows users to encode/decode data using various compression formats.

Among these formats is [brotli](https://github.com/google/brotli). In the implementation of the `BrotliDecoder` class, flawed logic allows unlimited memory allocation when using the `BrotliDecoder.decode` function on untrusted input. This can lead to denial of service.

</details>

<details>
<summary> <b>[ CVE-2025-7962 ] com.sun.mail:javax.mail 1.6.1</b> </summary>
<br>


**Description:**
Jakarta Mail defines a platform-independent and protocol-independent framework to build mail and messaging applications. The API allows sending and receiving emails using standard protocols like SMTP, POP3, and IMAP, supporting both text and multimedia content.
SMTP (Simple Mail Transfer Protocol) is used to send email between clients and servers. It is a text-based protocol that uses simple commands. In the SMTP protocol, CRLF (Carriage Return and Line Feed characters) act as the command separator. 

The vulnerability allows a SMTP Injection where an attacker injects the CRLF sequence into a data field (like an email address) to prematurely terminate the current command and inject new unauthorized SMTP commands, causing the server to relay forged messages.

When the vulnerable Jakarta Mail code gets the recipient address as a Unicode String, it first converts this string into raw ASCII byte stream for the SMTP connection. 

Specifically, the flaw is in the `sendCommand()` function that transmitted the attacker's input to the mail server, with no validation that the conversion to ASCII bytes does not contain the illegal CRLF characters. 

The attacker can use a specific sequence of non-ASCII Unicode characters (e.g. CJK characters) that would get substituted into the ASCII byte codes for the CRLF, and by this smuggle also unauthorized SMTP commands

The vulnerability is exploitable in any application that uses a vulnerable Jakarta Mail version and allows an attacker to input a string that is then used as a parameter (like a recipient address) in an outgoing email command (e.g. a form in the application where an unauthenticated user can enter an email address for a confirmation or follow-up.).

The attacker can provide as input to the application a non-ASCII Unicode string, which the vulnerable library converts into the full injection payload:

1ue@qq.com>\r\nRCPT TO:phising-victim@qq.com\r\nDATA\r\nSubject:PWNED\r\n\r\nHack!\r\n.\r\nQUIT\r\n

The injected CRLF at the beginning of t...

</details>

<details>
<summary> <b>[ CVE-2025-52520 ] org.apache.tomcat:tomcat-catalina 9.0.106</b> </summary>
<br>


**Description:**
[Apache Tomcat](https://tomcat.apache.org/) is an open-source web server and Servlet container for Java code.

Multipart requests are a standard way for web clients to send data to a server when the data consists of multiple distinct parts. It was found that when Tomcat is used with a certain configuration, the `java.org.apache.catalina.connector.Request.parseParts()` method is susceptible to an integer overflow attack due to the `postSize` parameter being limited to an `int`. When Tomcat attempts to calculate the size of the multipart/form-data POST request, `postSize` can surpass the maximum size of an `int`, causing it to wrap around to a negative number, causing a denial of service.

For the vulnerability to be exploitable, multipart configuration must be enabled, which can be done in two ways:

1. Using the `@MultipartConfig` annotation.

2.  Setting `<multipart-config>` element in `web.xml`.

Another condition for the exploitation of the vulnerability is setting the max POST request size to over 2,147,483,647 (the maximum number a signed `int` can hold), which is done via the `maxPostSize` attribute set in the server.xml configuration file. The default `maxPostSize` value is 2MiB (2,097,152), which is safe.

**Remediation:**
##### Deployment mitigations

Limiting the `maxPostSize` attribute in server.xml up to 2,147,483,647 will mitigate the vulnerability.

The default behavior of Apache Tomcat is safe.

</details>

<details>
<summary> <b>[ CVE-2025-48976 ] commons-fileupload:commons-fileupload 1.5</b> </summary>
<br>


**Description:**
[Apache Commons FileUpload](https://commons.apache.org/proper/commons-fileupload/) makes it easy to add robust, high-performance, file upload capability to your servlets and web applications.

If an HTTP request is submitted using the POST method, and with a content type of `multipart/form-data`, then `FileUpload` can parse that request, and make the results available in a manner easily used by the caller.

A denial of service vulnerability was discovered when processing file upload requests. Network attackers could exploit this vulnerability remotely by sending upload requests with many individual multipart headers, which would cause the target web application to crash.
Any web application that accepts arbitrary file upload request (ex. by calling `ServletFileUpload.parseRequest`) is vulnerable.

**Remediation:**
##### Development mitigations

Explicitly limit the size of the entire file upload request (including all multipart headers) using `ServletFileUpload.setSizeMax` -

ServletFileUpload upload = new ServletFileUpload(factory);
upload.setSizeMax(10241024100)

</details>

<details>
<summary> <b>[ CVE-2025-27817 ] org.apache.kafka:kafka-clients 3.4.0</b> </summary>
<br>


**Description:**
[Apache Kafka](https://kafka.apache.org/documentation/#) is an open-source distributed event streaming platform.

Users can use the `sasl.oauthbearer.token.endpoint.url` and `sasl.oauthbearer.jwks.endpoint.url` variables as part of the Kafka client (consumer) configuration file to indicate the URL where OAuth tokens should be taken from.

Attackers that can control the Kafka Client's configuration file (usually `client.properties`), can modify the `sasl.oauthbearer.token.endpoint.url` and `sasl.oauthbearer.jwks.endpoint.url`  values to use the `file:///` scheme.
Due to insufficient validation, This allows attackers to leak the contents of arbitrary files in the Apache Client's file system through error logs. The issue arises when a file is attempted to be accessed via `file:///` or other unintended protocols. The unexpected content causes an exception to be raised that may reveal the contents of the file. 
In addition, similar modifications can allow attackers to force the client to make requests to unintended external servers using the `http:///` or `https:///` protocols.

Mitigation was introduced in version 3.9.1 in the form of the `org.apache.kafka.sasl.oauthbearer.allowed.urls` property. Up to version 4.0.0, it allowed all URLs by default, and since version 4.0.0, the default list of allowed URLs is empty by default.

</details>

<details>
<summary> <b>[ CVE-2025-35036 ] org.hibernate:hibernate-validator 5.4.3.Final</b> </summary>
<br>


**Description:**
[Hibernate Validator](https://hibernate.org/validator/) is the reference implementation of the Jakarta Bean Validation. It allows developers to express and validate application constraints using annotations directly on their Java objects, such as checking for null values, minimum/maximum lengths, valid email formats, or custom validation rules

An oversight in the implementation of custom error messages for a validation constraint allows a potential attacker to use the custom error messages to inject a malicious expression. When the bean property or method parameter annotated with the constraint is fed with a malicious payload that does not satisfy the constraint, the message interpolator attempts to interpolate the constraint message, triggering the execution of the payload injected as expression language.

Note that the vulnerability is only applicable if the custom constraints were created via the `ConstraintValidatorContext` or `HibernateConstraintValidatorContext` class. Using the `addExpressionVariable()` method will mitigate the vulnerability as it escapes the user input and removes the risk of command injection.

**Remediation:**
##### Development mitigations

Using the `addExpressionVariable()` method will mitigate the vulnerability as it escapes the user input and removes the risk of command injection.

</details>

<details>
<summary> <b>[ CVE-2025-22228 ] org.springframework.security:spring-security-crypto 5.8.16</b> </summary>
<br>


**Description:**
BCryptPasswordEncoder.matches(CharSequence,String) will incorrectly return true for passwords larger than 72 characters as long as the first 72 characters are the same.

</details>

<details>
<summary> <b>[ CVE-2020-1967 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
[OpenSSL](https://openssl.org) is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

OpenSSL's [`SSL_check_chain()`](https://www.openssl.org/docs/man1.1.1/man3/SSL_check_chain.html) function is used to check whether a certificate, a private key and certificate chain are suitable for use with the current session. A NULL pointer dereference vulnerability exists in this function due to incorrect handling of the `signature_algorithms_cert` TLS extension. When an invalid or unrecognized signature algorithm is received by an attacker, a crash occurs, leading to denial of service.

**Remediation:**
##### Development mitigations

`SSL_check_chain` is vulnerable to non existent signature algorithm names. If this function is used in such a way that an untrusted party is able to craft the signatures that should be used in a handshake, it is recommended to remove use of this function. As a result, that handshake would fail at a later stage.

</details>

<details>
<summary> <b>[ CVE-2023-22102 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).  Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

</details>

<details>
<summary> <b>[ CVE-2020-10693 ] org.hibernate:hibernate-validator 5.4.3.Final</b> </summary>
<br>


**Description:**
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

</details>

<details>
<summary> <b>[ CVE-2020-2875 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

</details>

<details>
<summary> <b>[ CVE-2020-2934 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

</details>

<details>
<summary> <b>[ CVE-2015-2575 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.

</details>

<details>
<summary> <b>[ CVE-2017-3586 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

</details>

<details>
<summary> <b>[ CVE-2019-2692 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

</details>

<details>
<summary> <b>[ CVE-2025-58782 ] org.apache.jackrabbit:jackrabbit-jcr-commons 2.21.19</b> </summary>
<br>


**Description:**
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.

This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.

Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

</details>

<details>
<summary> <b>[ CVE-2025-58782 ] org.apache.jackrabbit:jackrabbit-core 2.21.19</b> </summary>
<br>


**Description:**
Deserialization of Untrusted Data vulnerability in Apache Jackrabbit Core and Apache Jackrabbit JCR Commons.

This issue affects Apache Jackrabbit Core: from 1.0.0 through 2.22.1; Apache Jackrabbit JCR Commons: from 1.0.0 through 2.22.1.

Deployments that accept JNDI URIs for JCR lookup from untrusted users allows them to inject malicious JNDI references, potentially leading to arbitrary code execution through deserialization of untrusted data.
Users are recommended to upgrade to version 2.22.2. JCR lookup through JNDI has been disabled by default in 2.22.2. Users of this feature need to enable it explicitly and are adviced to review their use of JNDI URI for JCR lookup.

</details>

<details>
<summary> <b>[ CVE-2025-31672 ] org.apache.poi:poi-ooxml 5.2.5</b> </summary>
<br>


**Description:**
Improper Input Validation vulnerability in Apache POI. The issue affects the parsing of OOXML format files like xlsx, docx and pptx. These file formats are basically zip files and it is possible for malicious users to add zip entries with duplicate names (including the path) in the zip. In this case, products reading the affected file could read different data because 1 of the zip entries with the duplicate name is selected over another but different products may choose a different zip entry.
This issue affects Apache POI poi-ooxml before 5.4.0. poi-ooxml 5.4.0 has a check that throws an exception if zip entries with duplicate file names are found in the input file.
Users are recommended to upgrade to version poi-ooxml 5.4.0, which fixes the issue. Please read  https://poi.apache.org/security.html  for recommendations about how to use the POI libraries securely.

</details>

<details>
<summary> <b>[ CVE-2024-31141 ] org.apache.kafka:kafka-clients 3.4.0</b> </summary>
<br>


**Description:**
Files or Directories Accessible to External Parties, Improper Privilege Management vulnerability in Apache Kafka Clients.

Apache Kafka Clients accept configuration data for customizing behavior, and includes ConfigProvider plugins in order to manipulate these configurations. Apache Kafka also provides FileConfigProvider, DirectoryConfigProvider, and EnvVarConfigProvider implementations which include the ability to read from disk or environment variables.
In applications where Apache Kafka Clients configurations can be specified by an untrusted party, attackers may use these ConfigProviders to read arbitrary contents of the disk and environment variables.

In particular, this flaw may be used in Apache Kafka Connect to escalate from REST API access to filesystem/environment access, which may be undesirable in certain environments, including SaaS products.
This issue affects Apache Kafka Clients: from 2.3.0 through 3.5.2, 3.6.2, 3.7.0.


Users with affected applications are recommended to upgrade kafka-clients to version >=3.8.0, and set the JVM system property "org.apache.kafka.automatic.config.providers=none".
Users of Kafka Connect with one of the listed ConfigProvider implementations specified in their worker config are also recommended to add appropriate "allowlist.pattern" and "allowed.paths" to restrict their operation to appropriate bounds.


For users of Kafka Clients or Kafka Connect in environments that trust users with disk and environment variable access, it is not recommended to set the system property.
For users of the Kafka Broker, Kafka MirrorMaker 2.0, Kafka Streams, and Kafka command-line tools, it is not recommended to set the system property.

</details>

<details>
<summary> <b>[ CVE-2023-1932 ] org.hibernate:hibernate-validator 5.4.3.Final</b> </summary>
<br>


**Description:**
A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

</details>

<details>
<summary> <b>[ CVE-2024-38820 ] org.springframework:spring-web 5.3.39</b> </summary>
<br>


**Description:**
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

</details>

<details>
<summary> <b>[ CVE-2024-38820 ] org.springframework:spring-context 5.3.39</b> </summary>
<br>


**Description:**
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.

</details>

<details>
<summary> <b>[ CVE-2024-6763 ] org.eclipse.jetty:jetty-http 9.4.57.v20241219</b> </summary>
<br>


**Description:**
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing.

The HttpURI class does insufficient validation on the authority segment of a URI.  However the behaviour of HttpURI
 differs from the common browsers in how it handles a URI that would be 
considered invalid if fully validated against the RRC.  Specifically HttpURI
 and the browser may differ on the value of the host extracted from an 
invalid URI and thus a combination of Jetty and a vulnerable browser may
 be vulnerable to a open redirect attack or to a SSRF attack if the URI 
is used after passing validation checks.

</details>

<details>
<summary> <b>[ CVE-2023-21971 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).  Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors as well as  unauthorized update, insert or delete access to some of MySQL Connectors accessible data and  unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H).

</details>

<details>
<summary> <b>[ CVE-2021-44531 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531 for more details.

</details>

<details>
<summary> <b>[ CVE-2021-44532 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532 for more details.

</details>

<details>
<summary> <b>[ CVE-2021-44533 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533 for more details.

</details>

<details>
<summary> <b>[ CVE-2022-21363 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

</details>

<details>
<summary> <b>[ CVE-2020-2933 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

</details>

<details>
<summary> <b>[ CVE-2017-3589 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

</details>

<details>
<summary> <b>[ CVE-2025-61795 ] org.apache.tomcat:tomcat-catalina 9.0.106</b> </summary>
<br>


**Description:**
Improper Resource Shutdown or Release vulnerability in Apache Tomcat.

If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.



This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.

The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.

</details>

<details>
<summary> <b>[ CVE-2025-22233 ] org.springframework:spring-context 5.3.39</b> </summary>
<br>


**Description:**
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.

Affected Spring Products and Versions

Spring Framework:
  *  6.2.0 - 6.2.6

  *  6.1.0 - 6.1.19

  *  6.0.0 - 6.0.27

  *  5.3.0 - 5.3.42
  *  Older, unsupported versions are also affected



Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s)Fix Version Availability 6.2.x
 6.2.7
OSS6.1.x
 6.1.20
OSS6.0.x
 6.0.28
 Commercial https://enterprise.spring.io/ 5.3.x
 5.3.43
 Commercial https://enterprise.spring.io/ 
No further mitigation steps are necessary.


Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.

For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.

Credit

This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.

</details>

<details>
<summary> <b>[ CVE-2022-21824 ] mysql:mysql-connector-java 5.1.17</b> </summary>
<br>


**Description:**
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824 for more details.

</details>

<details>
<summary> <b>Note:</b> </summary>


---
<div align='center'>

**Frogbot** also supports **Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning**. This features are included as part of the [JFrog Advanced Security](https://jfrog.com/advanced-security) package, which isn't enabled on your system.

</div>


</details>


---
<div align='center'>

[🐸 JFrog Frogbot](https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot)

</div>