Account (SNYK)- Medium Vulnerabilities

Mar 13, 2025 by ADMIN 39 views

Context

This report outlines the medium-level vulnerabilities found in the StackSpot Account using the SNYK vulnerability scanner. The scan was conducted on 13/03/2025, and the results are based on a 30-day term.

Definition of Done (DOD)

The following tasks have been completed to address the vulnerabilities:

[ ] Vulnerabilities mapped
[ ] Vulnerabilities fixed
[ ] Confirmed by SecOps Team

Vulnerable Resources

Project name StackSpot Account: github.com/shoenig/go-m1cpu v0.1.6

License: MPL-2.0

Project name StackSpot Account: github.com/open-policy-agent/opa v0.42.2

Vulnerability: Incorrect Permission Assignment for Critical Resource

Project name StackSpot Account: path-to-regexp 0.1.10

Vulnerability: Regular Expression Denial of Service (ReDoS)

Project name StackSpot Account: express 4.19.2

Vulnerability: Cross-site Scripting

Project name StackSpot Account: github.com/mitchellh/cli v1.0.0

License: MPL-2.0

Project name StackSpot Account: github.com/shoenig/go-m1cpu v0.1.6

License: MPL-2.0

Project name StackSpot Account: github.com/mitchellh/cli v1.0.0

License: MPL-2.0

Project name StackSpot Account: github.com/shoenig/go-m1cpu v0.1.6

License: MPL-2.0

Project name StackSpot Account: github.com/mitchellh/cli v1.0.0

License: MPL-2.0

Project name StackSpot Account: github.com/shoenig/go-m1cpu v0.1.6

License: MPL-2.0

Project name StackSpot Account: github.com/mitchellh/cli v1.0.0

License: MPL-2.0

Project name StackSpot Account: github.com/gin-contrib/cors v1.4.0

Vulnerability: Origin Validation Error

Project name StackSpot Account: github.com/shoenig/go-m1cpu v0.1.6

License: MPL-2.0

Project name StackSpot Account: github.com/mitchellh/cli v1.0.0

License: MPL-2.0

Project name StackSpot Account: cookie 0.6.0

Vulnerability: Cross-site Scripting (XSS)

Project name StackSpot Account: github.com/shoenig/go-m1cpu v0.1.6

License: MPL-2.0

Project name StackSpot Account: github.com/mitchellh/cli v1.0.0

License: MPL-2.0

Project name StackSpot Account: github.com/shoenig/test v0.6.4

License: MPL-2.0

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: github.com/graph-gophers/graphql-go v1.5.0

Vulnerability: Information Exposure

Project name StackSpot Account: io.netty:netty-common 4.1.111.Final

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: io.netty:netty-common 4.1.100.Final

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: org.springframework:spring-web 6.0.14

Vulnerability: Open Redirect

Project name StackSpot Account: org.hibernate.orm:hibernate-envers 6.2.1.Final

License: LGPL-2.1

Project name StackSpot Account: org.yaml:snakeyaml 1.33

Vulnerability: Arbitrary Code Execution

Project name StackSpot Account: org.apache.commons:commons-compress 1.22

Vulnerability: Improper Input Validation

Project name StackSpot Account: org.hibernate.common:hibernate-commons-annotations 6.0.6.Final

License: LGPL-2.1

Project name StackSpot Account: ch.qos.logback:logback-classic 1.4.13

License: Dual license: EPL-1.0, LGPL-2.1

Project name StackSpot Account: org.springframework:spring-web 6.0.14

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: io.netty:netty-codec-http 4.1.100.Final

Vulnerability: Allocation of Resources Without Limits or Throttling

Project name StackSpot Account: org.apache.commons:commons-compress 1.22

Vulnerability: Allocation of Resources Without Limits or Throttling

Project name StackSpot Account: org.hibernate.orm:hibernate-core 6.2.1.Final

License: LGPL-2.1

Project name StackSpot Account: ch.qos.logback:logback-core 1.5.12

License: Dual license: EPL-1.0, LGPL-2.1

Project name StackSpot Account: org.springframework:spring-web 6.0.11

Vulnerability: Open Redirect

Project name StackSpot Account: org.springframework:spring-web 6.0.11

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: io.netty:netty-handler 4.1.86.Final

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: com.fasterxml.jackson.core:jackson-databind 2.12.0

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: io.netty:netty-common 4.1.86.Final

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: io.netty:netty-codec-http 4.1.86.Final

Vulnerability: Allocation of Resources Without Limits or Throttling

Project name StackSpot Account: org.yaml:snakeyaml 1.33

Vulnerability: Arbitrary Code Execution

Project name StackSpot Account: org.springframework:spring-webmvc 6.0.2

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: org.apache.kafka:kafka-clients 3.6.1

Vulnerability: Files or Directories Accessible to External Parties

Project name StackSpot Account: org.apache.kafka:kafka-clients 3.6.0

Vulnerability: Files or Directories Accessible to External Parties

Project name StackSpot Account: org.springframework:spring-webmvc 6.1.14

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: org.springframework:spring-webmvc 6.0.14

Vulnerability: Denial of Service (DoS)

Project name StackSpot Account: org.apache.kafka:kafka-clients 3.6.0

Vulnerability: Files or Directories Accessible to External Parties

Project name StackSpot Account: org.springframework.security:spring-security-crypto 6.2.5

Vulnerability: Authorization Bypass

Project name StackSpot Account: axios 1.7.4

Vulnerability: Cross-site Scripting (XSS)

Project name StackSpot Account: axios 1.7.7

Vulnerability: Cross-site Script
Account (SNYK) - Medium Vulnerabilities Q&A =====================================

Q: What is the purpose of this report?

A: This report outlines the medium-level vulnerabilities found in the StackSpot Account using the SNYK vulnerability scanner. The scan was conducted on 13/03/2025, and the results are based on a 30-day term.

Q: What are the key findings of this report?

A: The report highlights the following key findings:

Incorrect Permission Assignment for Critical Resource: github.com/open-policy-agent/opa v0.42.2
Regular Expression Denial of Service (ReDoS): path-to-regexp 0.1.10
Cross-site Scripting: express 4.19.2
Information Exposure: github.com/graph-gophers/graphql-go v1.5.0
Denial of Service (DoS): io.netty:netty-common 4.1.111.Final
Open Redirect: org.springframework:spring-web 6.0.14
Arbitrary Code Execution: org.yaml:snakeyaml 1.33
Improper Input Validation: org.apache.commons:commons-compress 1.22
Dual license: ch.qos.logback:logback-classic 1.4.13
Allocation of Resources Without Limits or Throttling: io.netty:netty-codec-http 4.1.100.Final
Files or Directories Accessible to External Parties: org.apache.kafka:kafka-clients 3.6.1
Authorization Bypass: org.springframework.security:spring-security-crypto 6.2.5
Cross-site Scripting (XSS): axios 1.7.4
Server-side Request Forgery (SSRF): axios 1.7.7

Q: What are the potential risks associated with these vulnerabilities?

A: The potential risks associated with these vulnerabilities include:

Unauthorized access: Incorrect Permission Assignment for Critical Resource
Denial of Service (DoS): Regular Expression Denial of Service (ReDoS), Denial of Service (DoS)
Data exposure: Information Exposure
Arbitrary code execution: Arbitrary Code Execution
Input validation issues: Improper Input Validation
Security bypass: Authorization Bypass
Cross-site scripting (XSS): Cross-site Scripting (XSS)
Server-side request forgery (SSRF): Server-side Request Forgery (SSRF)

Q: What are the recommended actions to address these vulnerabilities?

A: The recommended actions to address these vulnerabilities include:

Update dependencies: Update dependencies to the latest versions
Implement input validation: Implement input validation to prevent unauthorized access
Implement secure coding practices: Implement secure coding practices to prevent Denial of Service (DoS) and arbitrary code execution
Implement authentication and authorization: Implement authentication and authorization to prevent security bypass
Implement secure protocols: Implement secure protocols to prevent cross-site scripting (XSS) and server-side request forgery (SSRF)

Q: How can I prevent similar vulnerabilities in the future?

A: To prevent similar vulnerabilities in the future, follow these best practices:

Regularly update dependencies: Regularly update dependencies to the latest versions
Implement secure coding practices: Implement secure coding practices to prevent vulnerabilities
Conduct regular security audits: Conduct regular security audits to identify and address vulnerabilities
Implement a vulnerability management program: Implement a vulnerability management program to track and address vulnerabilities
Provide security training: Provide security training to developers and engineers to promote secure coding practices