EM 10.8 vulnerabilities: Spring, Tomcat (CVE-2023-20860, CVE-2023-20861, CVE-2023-28708, CVE-2023-24998, CVE-2023-1370)
search cancel

EM 10.8 vulnerabilities: Spring, Tomcat (CVE-2023-20860, CVE-2023-20861, CVE-2023-28708, CVE-2023-24998, CVE-2023-1370)

book

Article ID: 263715

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

Blackduck scans of the EM have revealed several vulnerabilities in open source components

* Spring 5.3.x: CVE-2023-20860 / BDSA-2023-0649 severity 7.9, fixed in 5.3.26
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25
using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

* Spring 5.3.x: CVE-2023-20861 / BDSA-2023-0638 severity 5.7, fixed in 5.3.26
Spring Framework is vulnerable to denial-of-service (DoS) via specially crafted SpEL expressions.

* Apache Tomcat 8.5.x: CVE-2023-28708 severity 4.6

* Apache Commons FileUpload: CVE-2023-24998 severity 6.5
file: org.apache.commons.fileupload_1.3.3.jar

* json-smart: CVE-2023-1370 severity 6.7
file: plugins/com.wily.introscope.appmap.em_10.8.1.jar!/WebContent/WEB-INF/lib/json-smart.jar

Scanned EM version: 10.8.1.6

 

Environment

Release : 10.7.x, 10.8.0

Cause

Vulnerability defect DE562295

Resolution

To be fixed in 10.8 SP1

Additional Information

https://knowledge.broadcom.com/external/article/185748/apm-107-108-security-vulnerabilities-th.html