[Snyk] Upgrade: com.nulab-inc:zxcvbn, jakarta.xml.bind:jakarta.xml.bind-api, com.sun.xml.bind:jaxb-impl, com.thoughtworks.xstream:xstream, commons-io:commons-io, io.jsonwebtoken:jjwt, jakarta.servlet:jakarta.servlet-api, org.apache.commons:commons-lang3, org.apache.commons:commons-text, org.asciidoctor:asciidoctorj, org.bitbucket.b_c:jose4j, org.flywaydb:flyway-core, org.hsqldb:hsqldb, org.jsoup:jsoup, org.projectlombok:lombok, org.springframework.boot:spring-boot-properties-migrator, org.springframework.boot:spring-boot-starter-actuator, org.springframework.boot:spring-boot-starter-data-jpa, org.springframework.boot:spring-boot-starter-oauth2-client, org.springframework.boot:spring-boot-starter-security, org.springframework.boot:spring-boot-starter-thymeleaf, org.springframework.boot:spring-boot-starter-undertow, org.springframework.boot:spring-boot-starter-validation, org.springframework.boot:spring-boot-starter-web, org.webjars:bootstrap, org.webjars:jquery, org.webjars:webjars-locator-core

[appsectr]

Snyk has created this PR to upgrade multiple dependencies.

👯 The following dependencies are linked and will therefore be updated together.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

Name	Versions	Released on

com.nulab-inc:zxcvbn
from 1.8.0 to 1.9.0 | 3 versions ahead of your current version | 5 months ago
on 2024-04-06
jakarta.xml.bind:jakarta.xml.bind-api
from 4.0.1 to 4.0.2 | 1 version ahead of your current version | 7 months ago
on 2024-02-19
com.sun.xml.bind:jaxb-impl
from 4.0.3 to 4.0.5 | 2 versions ahead of your current version | 6 months ago
on 2024-03-06
com.thoughtworks.xstream:xstream
from 1.4.5 to 1.4.20 | 22 versions ahead of your current version | 2 years ago
on 2022-12-23
commons-io:commons-io
from 2.15.1 to 2.16.1 | 2 versions ahead of your current version | 5 months ago
on 2024-04-05
io.jsonwebtoken:jjwt
from 0.9.1 to 0.12.6 | 7 versions ahead of your current version | 3 months ago
on 2024-06-21
jakarta.servlet:jakarta.servlet-api
from 6.0.0 to 6.1.0 | 3 versions ahead of your current version | 4 months ago
on 2024-05-24
org.apache.commons:commons-lang3
from 3.12.0 to 3.16.0 | 4 versions ahead of your current version | a month ago
on 2024-08-01
org.apache.commons:commons-text
from 1.10.0 to 1.12.0 | 2 versions ahead of your current version | 5 months ago
on 2024-04-13
org.asciidoctor:asciidoctorj
from 2.5.10 to 2.5.13 | 18 versions ahead of your current version | 4 months ago
on 2024-05-19
org.bitbucket.b_c:jose4j
from 0.9.3 to 0.9.6 | 3 versions ahead of your current version | 6 months ago
on 2024-03-06
org.flywaydb:flyway-core
from 9.16.3 to 9.22.3 | 16 versions ahead of your current version | a year ago
on 2023-10-12
org.hsqldb:hsqldb
from 2.7.2 to 2.7.3 | 1 version ahead of your current version | 3 months ago
on 2024-05-31
org.jsoup:jsoup
from 1.17.2 to 1.18.1 | 1 version ahead of your current version | 2 months ago
on 2024-07-10
org.projectlombok:lombok
from 1.18.30 to 1.18.34 | 2 versions ahead of your current version | 2 months ago
on 2024-06-28
org.springframework.boot:spring-boot-properties-migrator
from 3.1.5 to 3.3.2 | 19 versions ahead of your current version | 2 months ago
on 2024-07-18
org.springframework.boot:spring-boot-starter-actuator
from 3.1.5 to 3.3.2 | 20 versions ahead of your current version | 2 months ago
on 2024-07-18
org.springframework.boot:spring-boot-starter-data-jpa
from 3.1.5 to 3.3.2 | 19 versions ahead of your current version | 2 months ago
on 2024-07-18
org.springframework.boot:spring-boot-starter-oauth2-client
from 3.1.5 to 3.3.2 | 19 versions ahead of your current version | 2 months ago
on 2024-07-18
org.springframework.boot:spring-boot-starter-security
from 3.1.5 to 3.3.2 | 19 versions ahead of your current version | 2 months ago
on 2024-07-18
org.springframework.boot:spring-boot-starter-thymeleaf
from 3.1.5 to 3.3.2 | 19 versions ahead of your current version | 2 months ago
on 2024-07-18
org.springframework.boot:spring-boot-starter-undertow
from 3.1.5 to 3.3.2 | 20 versions ahead of your current version | 2 months ago
on 2024-07-18
org.springframework.boot:spring-boot-starter-validation
from 3.1.5 to 3.3.2 | 20 versions ahead of your current version | 2 months ago
on 2024-07-18
org.springframework.boot:spring-boot-starter-web
from 3.1.5 to 3.3.2 | 19 versions ahead of your current version | 2 months ago
on 2024-07-18
org.webjars:bootstrap
from 5.3.2 to 5.3.3 | 1 version ahead of your current version | 7 months ago
on 2024-02-25
org.webjars:jquery
from 3.7.0 to 3.7.1 | 1 version ahead of your current version | a year ago
on 2023-08-29
org.webjars:webjars-locator-core
from 0.53 to 0.59 | 6 versions ahead of your current version | 3 months ago
on 2024-06-08

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569176	746	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569177	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088337	746	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569178	746	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569179	746	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569180	746	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569181	746	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569182	746	Proof of Concept
	Remote Code Execution (RCE) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569183	746	Mature
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569185	746	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569186	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1040458	746	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569187	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569190	746	Proof of Concept
	Server-Side Request Forgery (SSRF) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569191	746	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-2388977	746	No Known Exploit
	XML External Entity (XXE) Injection SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-30385	746	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-31394	746	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-ORGBITBUCKETBC-6139942	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088330	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088331	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088332	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088333	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088334	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088335	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088336	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088338	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1294540	746	Proof of Concept
	Arbitrary File Deletion SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051966	746	Proof of Concept
	Server-Side Request Forgery (SSRF) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1051967	746	Mature
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088328	746	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1088329	746	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-1569189	746	Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3091180	746	No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-3182897	746	Proof of Concept
	Insecure XML deserialization SNYK-JAVA-COMTHOUGHTWORKSXSTREAM-460764	746	Mature

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[secure-code-warrior-for-github]

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

Micro-Learning Topic: Deserialization of untrusted data (Detected by phrase)

Matched on "Deserialization of Untrusted Data"

What is this? (2min video)

It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains

Try a challenge in Secure Code Warrior

Helpful references

• OWASP Deserialization Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing deserialization flaws in your applications.
• OWASP Deserialization of untrusted data - OWASP community page with comprehensive information about deserialization vulnerabilities, and links to various OWASP resources to help detect or prevent it.
• OWASP Top Ten 2017 A8: Insecure Deserialization - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.

Micro-Learning Topic: Server-side request forgery (Detected by phrase)

Matched on "Server-Side Request Forgery"

What is this? (2min video)

Server-Side Request Forgery (SSRF) vulnerabilities are caused when an attacker can supply or modify a URL that reads or sends data to the server. The attacker can create a malicious request with a manipulated URL, when this request reaches the server, the server-side code executes the exploit URL causing the attacker to be able to read data from services that shouldn't be exposed.

Try a challenge in Secure Code Warrior

Micro-Learning Topic: External entity injection (Detected by phrase)

Matched on "XXE"

What is this? (2min video)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Try a challenge in Secure Code Warrior

Helpful references

• OWASP XML External Entity (XXE) Processing - OWASP community page with comprehensive information about XML external entity attacks, and links to various OWASP resources to help detect or prevent it.
• MSDN Security Briefs - XML Denial of Service Attacks and Defenses - An MSDN Magazine article that goes into detail on XML entity attacks and how to defend against them.
• OWASP XML External Entity Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing XML external entity flaws in your applications.