[Snyk-dev] Fix for 57 vulnerabilities

[schottsfired]

Snyk has created this PR to fix 57 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• todolist-goof/todolist-web-struts/pom.xml
• todolist-goof/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720	800	org.apache.logging.log4j:log4j-core: 2.7 -> 2.13.2 No Path Found Mature
	Arbitrary Code Execution SNYK-JAVA-ORGAPACHESTRUTS-30207	800	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Mature
	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHESTRUTS-1049003	790	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Mature
	Arbitrary Command Execution SNYK-JAVA-ORGAPACHESTRUTS-30772	790	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Mature
	Remote Code Execution SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751	790	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE Major version upgrade No Path Found Mature
	Deserialization of Untrusted Data SNYK-JAVA-ORGAPACHELOGGINGLOG4J-31409	760	org.apache.logging.log4j:log4j-core: 2.7 -> 2.13.2 No Path Found Mature
	Arbitrary Code Execution SNYK-JAVA-ORGAPACHESTRUTS-31503	760	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Mature
	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHESTRUTS-608097	760	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Mature
	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014	750	org.apache.logging.log4j:log4j-core: 2.7 -> 2.13.2 No Path Found Mature
	Command Injection SNYK-JAVA-ORGAPACHESTRUTS-30770	705	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Mature
	Arbitrary Command Execution SNYK-JAVA-ORGAPACHESTRUTS-31495	705	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Mature
	Remote Code Execution SNYK-JAVA-ORGAPACHESTRUTS-32477	705	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Mature
	Command Injection SNYK-JAVA-ORGAPACHESTRUTSXWORK-451611	705	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found Mature
	Arbitrary Code Execution SNYK-JAVA-COMMONSFILEUPLOAD-30401	640	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Arbitrary Code Execution SNYK-JAVA-ORGAPACHESTRUTS-30771	640	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Directory Traversal SNYK-JAVA-ORGAPACHESTRUTS-30778	640	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Improper Action Name Cleanup SNYK-JAVA-ORGAPACHESTRUTS-451610	640	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHESTRUTS-2635340	630	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524	600	org.apache.logging.log4j:log4j-core: 2.7 -> 2.13.2 No Path Found Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHESTRUTS-608098	600	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found Proof of Concept
	Server-side Template Injection (SSTI) SNYK-JAVA-ORGFREEMARKER-1076795	600	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found Proof of Concept
	Cross-site Request Forgery (CSRF) SNYK-JAVA-ORGAPACHESTRUTS-30774	590	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Unrestricted Upload of File with Dangerous Type SNYK-JAVA-ORGAPACHESTRUTS-609765	590	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGAPACHESTRUTSXWORK-30799	590	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Arbitrary Code Execution SNYK-JAVA-ORGAPACHESTRUTSXWORK-30803	590	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	XML External Entity (XXE) Injection SNYK-JAVA-ORGSPRINGFRAMEWORK-30163	590	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE No Path Found No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGSPRINGFRAMEWORK-1009832	580	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE Major version upgrade No Path Found No Known Exploit
	Reflected File Download SNYK-JAVA-ORGSPRINGFRAMEWORK-30165	580	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE No Path Found No Known Exploit
	Arbitrary File Write via Archive Extraction (Zip Slip) SNYK-JAVA-ORGZEROTURNAROUND-31681	575	org.zeroturnaround:zt-zip: 1.12 -> 1.13 Reachable No Known Exploit
	Arbitrary Code Execution SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339	555	org.apache.logging.log4j:log4j-core: 2.7 -> 2.13.2 No Path Found Proof of Concept
	Directory Traversal SNYK-JAVA-COMMONSIO-1277109	535	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 Major version upgrade No Path Found Mature
	Denial of Service (DoS) SNYK-JAVA-COMMONSFILEUPLOAD-30082	525	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Manipulation of Struts' internals SNYK-JAVA-ORGAPACHESTRUTS-30060	525	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Access Restriction Bypass SNYK-JAVA-ORGAPACHESTRUTS-30775	525	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Access Restriction Bypass SNYK-JAVA-ORGAPACHESTRUTS-30776	525	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHESTRUTS-31500	525	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHESTRUTS-31501	525	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHESTRUTS-31502	525	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Parameter Alteration SNYK-JAVA-ORGAPACHESTRUTSXWORK-30798	525	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Access Restriction Bypass SNYK-JAVA-ORGAPACHESTRUTSXWORK-30802	525	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Insecure Defaults SNYK-JAVA-ORGAPACHESTRUTSXWORK-474418	515	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Information Exposure SNYK-JAVA-COMMONSFILEUPLOAD-31540	475	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Cross-site Request Forgery (CSRF) SNYK-JAVA-ORGSPRINGFRAMEWORK-31331	465	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE No Path Found No Known Exploit
	Cross-site Scripting (XSS) SNYK-JAVA-ORGAPACHESTRUTS-30773	455	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Cross-site Scripting (XSS) SNYK-JAVA-ORGAPACHESTRUTSXWORK-30800	455	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGSPRINGFRAMEWORK-30164	425	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-OGNL-30474	415	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JAVA-ORGAPACHESTRUTS-460223	415	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 org.apache.struts:struts2-spring-plugin: 2.3.20 -> 2.5.30 No Path Found No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGAPACHESTRUTSXWORK-30801	415	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JAVA-ORGAPACHESTRUTSXWORK-30804	415	org.apache.struts:struts2-core: 2.3.20 -> 6.1.2 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828	415	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE Major version upgrade No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313	415	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE Major version upgrade No Path Found No Known Exploit
	Directory Traversal SNYK-JAVA-ORGSPRINGFRAMEWORK-31325	415	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE No Path Found No Known Exploit
	Improper Handling of Case Sensitivity SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634	410	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE Major version upgrade No Path Found Proof of Concept
	Improper Output Neutralization for Logs SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097	365	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE Major version upgrade No Path Found No Known Exploit
	Improper Input Validation SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878	365	org.springframework:spring-web: 3.2.6.RELEASE -> 5.2.22.RELEASE Major version upgrade No Path Found No Known Exploit
	Man-in-the-Middle (MitM) SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761	335	org.apache.logging.log4j:log4j-core: 2.7 -> 2.13.2 No Path Found No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)
🦉 Arbitrary Code Execution
🦉 Information Exposure
🦉 More lessons are available in Snyk Learn

[amazon-inspector-n-virginia]

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

[schottsfired]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[amazon-inspector-n-virginia]

Description: It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Relevant link: GHSA-7rjr-3q55-vv33

Severity: Critical

[amazon-inspector-n-virginia]

Description: Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Relevant link: GHSA-jfh8-c2jp-5v3q

Severity: Critical

[amazon-inspector-n-virginia]

Description: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Relevant link: GHSA-p6xc-xr62-6r2g

Severity: High

[amazon-inspector-n-virginia]

✅ I finished the code review, and left comments with the issues I found.