spring-boot-starter-web-3.4.2.jar: 1 vulnerabilities (highest severity is: 8.1)

[mend-bolt-for-github]

Vulnerable Library - spring-boot-starter-web-3.4.2.jar

Path to dependency file: /server/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.34/f610f84be607fbc82e393cc220f0ad45f92afc91/tomcat-embed-core-10.1.34.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-boot-starter-web version)	Remediation Possible**
CVE-2025-24813	High	8.1	tomcat-embed-core-10.1.34.jar	Transitive	3.4.3	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-24813

Vulnerable Library - tomcat-embed-core-10.1.34.jar

Core Tomcat implementation

Library home page: https://tomcat.apache.org/

Path to dependency file: /server/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/10.1.34/f610f84be607fbc82e393cc220f0ad45f92afc91/tomcat-embed-core-10.1.34.jar

Dependency Hierarchy:

• spring-boot-starter-web-3.4.2.jar (Root Library)
  • spring-boot-starter-tomcat-3.4.2.jar
    • ❌ tomcat-embed-core-10.1.34.jar (Vulnerable Library)

Found in base branch: develop

Vulnerability Details

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)

• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
  - attacker knowledge of the names of security sensitive files being uploaded
  - the security sensitive files also being uploaded via partial PUT
  If all of the following were true, a malicious user was able to perform remote code execution:
• writes enabled for the default servlet (disabled by default)
  - support for partial PUT (enabled by default)
  - application was using Tomcat's file based session persistence with the default storage location
  - application included a library that may be leveraged in a deserialization attack
  Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.98, which fixes the issue.

Publish Date: 2025-03-10

URL: CVE-2025-24813

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-03-10

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.35

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.3

Step up your Open Source Security Game with Mend here