SaToken privilege escalation vulnerability
This is being flagged on twistlock both on spring-core and spring-web jar files.
CVE-2023-44794 <- this has CPE matched with both spring-framework(From (including) 5.3.0) and spring-boot(From (including) 2.3.1).
Can you confirm that this affects spring-framework? I did a quick search and could not find anything related with that package.
Comment From: bclozel
The Spring team is not involved in any way with the https://github.com/dromara/Sa-Token project.
The NVD entry lists Spring artifacts in the "Running on/with" section which I believe states that the vulnerable library must run with other libraries listed there to trigger the security issue. If your tool still points Spring as being vulnerable here, can you tell us more about the report and get in touch with your vendor about this problem?
Comment From: paranjayBhanot
@fredbalves and @bclozel: Prisma cloud is reporting CVE-2023-44794 (dromara sa token) with CVSS score as 9.8 in spring-web and spring-core packages v6.1.2. Please find below the description as reported by prisma cloud: An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL.
Comment From: bclozel
It seems that the "running on/with" part of the CPE is clearly communicated in the official data dump and API. You can check that yourself:
$ curl https://services.nvd.nist.gov/rest/json/cves/2.0\?cveId\=CVE-2023-44794 | jq '.vulnerabilities[].cve.configurations'
[
{
"operator": "AND",
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:a:dromara:sa-token:*:*:*:*:*:*:*:*",
"versionEndExcluding": "1.37.0",
"matchCriteriaId": "BCB07557-F15B-4319-B525-39764D2AB3A7"
}
]
},
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": false,
"criteria": "cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.3.1",
"matchCriteriaId": "C59F2ABD-BAE0-408C-AED4-6D484134E7F6"
},
{
"vulnerable": false,
"criteria": "cpe:2.3:a:vmware:spring_framework:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.3.0",
"matchCriteriaId": "821E9C4B-844C-4D73-AB99-0A6A8D00CC1E"
}
]
}
]
}
]
Spring dependencies are not marked as vulnerable in the metadata. Additionnally, the metadata itself is a bit strange as Dromara < 1.37 AND (Spring Framework 5.3.+ OR Spring Boot 2.3.1+). This would not include Dromara <1.37 AND Spring Boot [2.0.0-2.3.0].
In any case, if your security tool is reporting this against Spring, please reach out to your vendor and request a fix for this false positive.
Comment From: qaiscvs
We are getting the same issue CVE-2023-44794 is reported on spring web and spring core
Package Name:spring-core_spring-core Version:6.1.4 ID:CVE-2023-44794 CVSS:9.8 Severity:critical Description:An issue in Dromara SaToken version 1.36.0 and before allows a remote attacker to escalate privileges via a crafted payload to the URL. Package Name:spring-web_spring-web Version:6.1.4
Comment From: bclozel
@qaiscvs which vulnerability scanning tool are you using?
Comment From: qaiscvs
twistlock.
Comment From: bclozel
Isn't it called Prisma cloud these days? In any case, you should get in touch with your vendor as it is a bug in the tool, see comments above.