[Snyk] Security upgrade io.jsonwebtoken:jjwt from 0.7.0 to 0.12.0

[gazarianucleussec]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• webgoat-lessons/challenge/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Stack-based Buffer Overflow SNYK-JAVA-COMFASTERXMLJACKSONCORE-10500754	721	io.jsonwebtoken:jjwt: 0.7.0 -> 0.12.0 No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[gazarianucleussec]

Checkmarx One – Scan Summary & Details – e71b6c38-21c4-40f3-b74f-bd00f6d5912e

New Issues (114)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2016-1000027	Maven-org.springframework:spring-webmvc-5.3.1	details Recommended version: 5.3.39-atlassian-3 Description: Pivotal Spring Framework (spring, spring-remoting, spring-web, spring-webmvc) versions prior to 6.0.0-M1, suffers from a potential remote code exec... Attack Vector: NETWORK Attack Complexity: LOW ID: JpMkaNmJSxaZV0JuURPE2jeshAhITasUpH0yA%2FDwr04%3D Vulnerable Package
	CVE-2016-1000027	Maven-org.springframework:spring-web-5.3.1	details Recommended version: 5.3.31-wso2v1 Description: Pivotal Spring Framework (spring, spring-remoting, spring-web, spring-webmvc) versions prior to 6.0.0-M1, suffers from a potential remote code exec... Attack Vector: NETWORK Attack Complexity: LOW ID: lzajrdTmnORWE81WSWeXRaeIMHkyvSAvWsgyoPCGkx4%3D Vulnerable Package
	CVE-2018-11499	Npm-node-sass-4.11.0	details Description: A Use-After-Free vulnerability exists in "handle_error()" in "sass_context.cpp" in LibSass 3.4.x and 3.5.x through 3.5.5 that could be leveraged to... Attack Vector: NETWORK Attack Complexity: LOW ID: B5aqpayqaqGaDlU1KmKcswiY4%2Bl2WoFXXNZY%2B9IEf1E%3D Vulnerable Package
	CVE-2019-10747	Npm-set-value-2.0.0	details Recommended version: 2.0.1 Description: set-value is vulnerable to Prototype Pollution before 2.0.1 and 3.x before 3.0.1. The function mixin-deep could be tricked into adding or modifying... Attack Vector: NETWORK Attack Complexity: LOW ID: 1XULdghFfVDQNtvWnQlds26HqdaHapzBM6Crk5Rcr88%3D Vulnerable Package
	CVE-2019-10747	Npm-set-value-0.4.3	details Recommended version: 2.0.1 Description: set-value is vulnerable to Prototype Pollution before 2.0.1 and 3.x before 3.0.1. The function mixin-deep could be tricked into adding or modifying... Attack Vector: NETWORK Attack Complexity: LOW ID: QWGoKH7vX8qrTz92cHWAUUKhejaOSmXAfi%2FoWIlE%2BNc%3D Vulnerable Package
	CVE-2020-15256	Npm-object-path-0.9.2	details Recommended version: 0.11.8 Description: A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `in... Attack Vector: NETWORK Attack Complexity: LOW ID: HzRBYhmecFJKrL74qnjzjdCt%2B4yNrkWL7pIVaUHeFjo%3D Vulnerable Package
	CVE-2020-7774	Npm-y18n-3.2.1	details Recommended version: 3.2.2 Description: This affects the package y18n before 3.2.2, 4.x before 4.0.1, 5.0.x before 5.0.5 and 6.0.0-alpha.0. PoC by po6ix: const y18n = require('y18n')(); y... Attack Vector: NETWORK Attack Complexity: LOW ID: ImBLW1deml15TJWPYiCPhAxXnefV3%2F0q8EUIqT8vkOg%3D Vulnerable Package
	CVE-2020-7788	Npm-ini-1.3.5	details Recommended version: 1.3.6 Description: This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will p... Attack Vector: NETWORK Attack Complexity: LOW ID: 5PfFqdO5%2Fjmlhyl4nCoMB0v3R9u7SzfNElzgq8OHQrA%3D Vulnerable Package
	CVE-2021-21342	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processe... Attack Vector: NETWORK Attack Complexity: LOW ID: VDZiuoDYL2S0cjcGCvHhdGezFZhI4RLso95zSuoXmfs%3D Vulnerable Package
	CVE-2021-21350	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW ID: IIx195LpmHpLHKbZvk%2FUIxzs64j8hfivZbCqZ3obA2M%3D Vulnerable Package
	CVE-2021-3918	Npm-json-schema-0.2.3	details Recommended version: 0.4.0 Description: json-schema before 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Attack Vector: NETWORK Attack Complexity: LOW ID: HFvXm9zJvCCP0h9aKXviu6jCYHhoEalnUm8CkhxIvPw%3D Vulnerable Package
	CVE-2021-43466	Maven-org.thymeleaf:thymeleaf-spring5-3.0.11.RELEASE	details Recommended version: 3.0.13.RELEASE Description: In the thymeleaf-spring3:3.0.12, thymeleaf-spring4:3.0.12, thymeleaf-spring5:3.0.12 components, thymeleaf combined with specific scenarios in templ... Attack Vector: NETWORK Attack Complexity: LOW ID: 3wQPBemlBv5KSHJQx%2FrSjAzy2gLgjIOxa%2FLifZaWSJQ%3D Vulnerable Package
	CVE-2022-22978	Maven-org.springframework.security:spring-security-web-5.4.1	details Recommended version: 5.7.14 Description: In Spring Security, module "spring-security-web", versions before 5.5.7, and 5.6.x before 5.6.4, RegexRequestMatcher can easily be misconfigured to... Attack Vector: NETWORK Attack Complexity: LOW ID: CrL6kYkLY%2Fos89Y8c4Wb7y6DcvyQZn6%2BnUDwretmcj8%3D Vulnerable Package
	CVE-2022-26520	Maven-org.postgresql:postgresql-42.2.18	details Recommended version: 42.2.29 Description: In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files t... Attack Vector: NETWORK Attack Complexity: LOW ID: hRA9SNDV2hyxsL0Spf1NRQ%2FrCxunQUsppLKJ07ryIQk%3D Vulnerable Package
	CVE-2023-26136	Npm-tough-cookie-2.4.3	details Recommended version: 4.1.3 Description: The package tough-cookie in versions prior to 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar ... Attack Vector: NETWORK Attack Complexity: LOW ID: JcNpp1muecPEPwm58MCugMZvvRoLrBfhwR8U4ADcZFs%3D Vulnerable Package
	CVE-2023-34034	Maven-org.springframework.security:spring-security-config-5.4.1	details Recommended version: 5.7.14 Description: In Spring Security configuration using "**" as a pattern for WebFlux, creates a mismatch in pattern matching between Spring Security and Spring Web... Attack Vector: NETWORK Attack Complexity: LOW ID: 73vBeGqAUuJ7TAogGmlHH2K6yYg3a9MsOrIRjGAkqXM%3D Vulnerable Package
	CVE-2023-34034	Maven-org.springframework.security:spring-security-web-5.4.1	details Recommended version: 5.7.14 Description: In Spring Security configuration using "**" as a pattern for WebFlux, creates a mismatch in pattern matching between Spring Security and Spring Web... Attack Vector: NETWORK Attack Complexity: LOW ID: b%2B4srOgDgXtAxGQQOD9z7HTFCiZ193MmXrO2J1CUuK0%3D Vulnerable Package
	CVE-2016-3674	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) Sta... Attack Vector: NETWORK Attack Complexity: LOW ID: 3nDXCuFONia49%2Fp7nXWNGnQPqx1gyLtlvTQNk35qWUY%3D Vulnerable Package
	CVE-2017-7957	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' duri... Attack Vector: NETWORK Attack Complexity: LOW ID: xf8F2w1xxDntrcXsszZNXLDuBVetKzyAffzaVo2gcxo%3D Vulnerable Package
	CVE-2018-11693	Npm-node-sass-4.11.0	details Recommended version: 4.14.0 Description: An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scop... Attack Vector: NETWORK Attack Complexity: LOW ID: qx6aNmClq4cGr7GNiWUZUTN72m48Fv9U5HyO2Mkx1ZY%3D Vulnerable Package
	CVE-2018-11697	Npm-node-sass-4.11.0	details Recommended version: 6.0.1 Description: An issue was discovered in LibSass through 3.5.5. An out-of-bounds read of a memory region was found in the function "Sass::Prelexer::exactly()" wh... Attack Vector: NETWORK Attack Complexity: LOW ID: uz4Vs7nATf0HhNRvz3Q492lfiip53oPm1AvqY83aou0%3D Vulnerable Package
	CVE-2019-13173	Npm-fstream-1.0.11	details Recommended version: 1.0.12 Description: fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the sys... Attack Vector: NETWORK Attack Complexity: LOW ID: hIwaJ%2FMC%2B%2FKdtjFHXFt3BiVtiBBlDjgjhgl4ipEBHzA%3D Vulnerable Package
	CVE-2020-28469	Npm-glob-parent-2.0.0	details Recommended version: 5.1.2 Description: In glob-parent prior to 5.1.2 the way that the `enclosure` regex in `index.js` is defined could allow an attacker to exploit it, and cause a Denial... Attack Vector: NETWORK Attack Complexity: LOW ID: Pz9XiVzW9ERZ4p4ycbBkJ%2FcVWLTw20AJ0RfgO3OMoRQ%3D Vulnerable Package
	CVE-2020-28469	Npm-glob-parent-3.1.0	details Recommended version: 5.1.2 Description: In glob-parent prior to 5.1.2 the way that the `enclosure` regex in `index.js` is defined could allow an attacker to exploit it, and cause a Denial... Attack Vector: NETWORK Attack Complexity: LOW ID: ZuR5Q3E9zeb8WFhnm%2F1fCnVZO4g8btYrksmwKrqGOzU%3D Vulnerable Package
	CVE-2020-36048	Npm-engine.io-3.2.1	details Recommended version: 3.6.1 Description: Engine.IO before 4.0.0-alpha.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport. Attack Vector: NETWORK Attack Complexity: LOW ID: mYerqqbRpIP2DXxYL5sO78YCbpIR5PuRZXqncYXXrhw%3D Vulnerable Package
	CVE-2020-36049	Npm-socket.io-parser-3.2.0	details Recommended version: 3.3.4 Description: socket.io-parser 3.4.0 and before 3.3.2 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenati... Attack Vector: NETWORK Attack Complexity: LOW ID: MktH%2Bd6O9eNa6lxCYdXdVZkEtVZZJZ5U%2FXayqEkNusc%3D Vulnerable Package
	CVE-2020-36049	Npm-socket.io-parser-3.3.0	details Recommended version: 3.3.4 Description: socket.io-parser 3.4.0 and before 3.3.2 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenati... Attack Vector: NETWORK Attack Complexity: LOW ID: YWF7i7cmb0A7SmjjfqKE1x843MiNJ0OS0pABYr703is%3D Vulnerable Package
	CVE-2020-36518	Maven-com.fasterxml.jackson.core:jackson-databind-2.11.3	details Recommended version: 2.12.7.1 Description: jackson-databind before 2.12.6.1 and 2.13.x before 2.13.2.1 allows a Java StackOverflow exception and denial of service via a large depth of neste... Attack Vector: NETWORK Attack Complexity: LOW ID: JnAEK%2FjkgO%2Bl3umdtVTObxe3ZM%2BS9RUJPDOSv4HZ45k%3D Vulnerable Package
	CVE-2021-21341	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a re... Attack Vector: NETWORK Attack Complexity: LOW ID: JiBcmfK4pNZPDVDj3c4L2G5hQlZUo9fSkAAVD4j3K8Q%3D Vulnerable Package
	CVE-2021-21348	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW ID: MUMzsJr%2F6PgljV0RCxlNbdDi3FqKNw0o3hjIQzS1nYY%3D Vulnerable Package
	CVE-2021-21349	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a ... Attack Vector: NETWORK Attack Complexity: LOW ID: A2SL4NDQQDggCsiwe9XRoQ%2Fz4sZtWnbGFJI8UghTOmw%3D Vulnerable Package
	CVE-2021-23382	Npm-postcss-7.0.2	details Recommended version: 8.4.31 Description: The package postcss before 7.0.36 and in 8.x before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via "getAnnotationURL()" ... Attack Vector: NETWORK Attack Complexity: LOW ID: DL%2BDygZYUWKumnxvMd7Q5MSLjeKW3jan6SIhfPKnbuc%3D Vulnerable Package
	CVE-2021-23434	Npm-object-path-0.9.2	details Recommended version: 0.11.8 Description: This affects the package object-path before 0.11.6. A type confusion vulnerability can lead to a bypass of CVE-2020-15256 when the path components ... Attack Vector: NETWORK Attack Complexity: LOW ID: RMb3%2Fw3DT5Fwcc1g4VGdZGSNQ94Oa1lLKUShCbr5drk%3D Vulnerable Package
	CVE-2021-27292	Npm-ua-parser-js-0.7.17	details Recommended version: 0.7.24 Description: ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-... Attack Vector: NETWORK Attack Complexity: LOW ID: tvg6z0oiyjYO0DtYtO1upUWNDRvGTLXc9RP0J58HtH0%3D Vulnerable Package
	CVE-2021-29505	Maven-com.thoughtworks.xstream:xstream-1.4.5	details Recommended version: 1.4.21 Description: XStream is a software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote at... Attack Vector: NETWORK Attack Complexity: LOW ID: eHPP0XcyI9aoBLJ%2FR6qMRDEdR7Mj8St8%2FaBNaeeSP2c%3D Vulnerable Package
	CVE-2021-37712	Npm-tar-4.4.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code executio... Attack Vector: LOCAL Attack Complexity: LOW ID: hfkNVA3dnXBFGEgEioPI4t6NabhO6q0gyb9bHEi2HnU%3D Vulnerable Package
	CVE-2021-37712	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code executio... Attack Vector: LOCAL Attack Complexity: LOW ID: zDk08vJH2HLEPk1Zf5oA%2Fm6CRjoeRgtwclkZsZDAQXM%3D Vulnerable Package
	CVE-2021-3807	Npm-ansi-regex-2.1.1	details Recommended version: 3.0.1 Description: The package ansi-regex versions 3.x prior to 3.0.1, 4.x prior to 4.1.1, 5.x prior to 5.0.1 and 6.0.x prior to 6.0.1 is vulnerable to Inefficient Re... Attack Vector: NETWORK Attack Complexity: LOW ID: aWOu4SEhRKL4Vr3rDRE7k%2FEm5hgOWKDxA60mjqT6lsA%3D Vulnerable Package
	CVE-2021-3807	Npm-ansi-regex-3.0.0	details Recommended version: 3.0.1 Description: The package ansi-regex versions 3.x prior to 3.0.1, 4.x prior to 4.1.1, 5.x prior to 5.0.1 and 6.0.x prior to 6.0.1 is vulnerable to Inefficient Re... Attack Vector: NETWORK Attack Complexity: LOW ID: gZZ0k1Cju5iaygYuCVEHOSfPiAUVEQu2LXiJ9jg9A5Y%3D Vulnerable Package

More results are available on the CxOne platform

Fixed Issues (30)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2016-10707	Npm-jquery-1.10.2
	CVE-2016-10707	Npm-jquery-2.1.4
	CVE-2022-43358	Npm-node-sass-4.11.0
	Client_DOM_Stored_XSS	/webgoat-lessons/client-side-filtering/src/main/resources/js/clientSideFiltering.js: 17
	Client_DOM_Stored_XSS	/webgoat-lessons/jwt/src/main/resources/html/JWT.html: 351
	Client_DOM_Stored_XSS	/webgoat-lessons/jwt/src/main/resources/html/JWT.html: 351
	Client_DOM_Stored_XSS	/webgoat-lessons/jwt/src/main/resources/html/JWT.html: 351
	Client_DOM_Stored_XSS	/webgoat-lessons/xxe/src/main/resources/js/xxe.js: 72
	Client_DOM_Stored_XSS	/webgoat-lessons/sql-injection/src/main/resources/js/assignment13.js: 43
	Client_DOM_Stored_XSS	/webgoat-lessons/csrf/src/main/resources/js/csrf-review.js: 35
	Client_DOM_Stored_XSS	/webgoat-lessons/cross-site-scripting/src/main/resources/js/stored-xss.js: 35
	Client_DOM_Stored_XSS	/webgoat-lessons/challenge/src/main/resources/js/challenge8.js: 46
	Client_DOM_Stored_XSS	/webgoat-container/src/main/resources/static/js/goatApp/support/GoatUtils.js: 56
	Client_DOM_Stored_XSS	/webgoat-lessons/challenge/src/main/resources/js/challenge8.js: 7
	CVE-2016-7103	Npm-jquery-ui-1.10.4
	CVE-2019-18798	Npm-node-sass-4.11.0
	CVE-2021-41182	Npm-jquery-ui-1.10.4
	CVE-2021-41183	Npm-jquery-ui-1.10.4
	CVE-2022-31160	Npm-jquery-ui-1.10.4
	Client_DOM_Open_Redirect	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 1219
	Client_DOM_Open_Redirect	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 1203
	Client_DOM_Open_Redirect	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 1219
	Client_DOM_Open_Redirect	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 1203
	Client_DOM_Open_Redirect	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 1347
	Client_DOM_Open_Redirect	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 1340
	Client_DOM_Open_Redirect	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 1347
	Client_DOM_Open_Redirect	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 1340
	Client_JQuery_Deprecated_Symbols	/webgoat-container/src/main/resources/static/js/goatApp/view/LessonContentView.js: 81
	Client_JQuery_Deprecated_Symbols	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 912
	Client_JQuery_Deprecated_Symbols	/webgoat-container/src/main/resources/static/js/libs/backbone-min.js: 912