Update commons-collections4 version to 4.3

[cx-lucas-ferreira]

Update commons-collections4 version to 4.3 |CVE-2015-4852

[cx-lucas-ferreira]

Checkmarx One – Scan Summary & Details – 1ed38347-5543-4c8c-8170-30994639de04

---

New Issues (621)

Critical: 129 · High: 122 · Medium: 175 · Low: 195

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2016-1000027	Maven-org.springframework:spring-webmvc-5.2.7.RELEASE	details Recommended version: 6.2.17 Description: Pivotal Spring Framework (spring, spring-remoting, spring-web, spring-webmvc) versions prior to 6.0.0-M1, suffers from a potential remote code exec... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2016-1000027	Maven-org.springframework:spring-web-5.2.7.RELEASE	details Recommended version: 5.3.31-wso2v1 Description: Pivotal Spring Framework (spring, spring-remoting, spring-web, spring-webmvc) versions prior to 6.0.0-M1, suffers from a potential remote code exec... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2016-1000031	Maven-commons-fileupload:commons-fileupload-1.3.2	details Recommended version: 1.6.0 Description: Apache Commons FileUpload through 1.3.3 DiskFileItem File Manipulation Remote Code Execution Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2017-1000487	Maven-org.codehaus.plexus:plexus-utils-1.0.4	details Recommended version: 3.6.0.redhat-00001 Description: Plexus-utils versions prior to 3.0.16 are vulnerable to command injection because it does not correctly process the contents of double quoted strings. Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2019-17571	Maven-log4j:log4j-1.2.17	details Description: Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute ar... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2022-1471	Maven-org.yaml:snakeyaml-1.26	details Recommended version: 2.0 Description: SnakeYaml's "Constructor()" class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2022-22965	Maven-org.springframework:spring-beans-5.2.7.RELEASE	details Recommended version: 5.3.31-wso2v1 Description: spring or spring-beans running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the appli... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2022-22965	Maven-org.springframework:spring-webmvc-5.2.7.RELEASE	details Recommended version: 6.2.17 Description: spring or spring-beans running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the appli... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2022-23305	Maven-log4j:log4j-1.2.17	details Description: By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters fro... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10		CVE-2022-47937	Maven-org.apache.sling:org.apache.sling.commons.json-2.0.4-incubator	details Description: Improper input validation in the Apache Sling Commons JSON bundle allows an attacker to trigger unexpected errors by supplying specially-crafted in... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2023-37460	Maven-org.codehaus.plexus:plexus-archiver-1.0-alpha-3	details Recommended version: 4.8.0 Description: Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` A... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12		CVE-2024-50379	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.36	details Recommended version: 10.1.49.redhat-00011 Description: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits Remote Code Execution on case-insen... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13		CVE-2024-52316	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.36	details Recommended version: 10.1.49.redhat-00011 Description: Unchecked Error Condition vulnerability in Apache Tomcat versions 9.0.0-M1 through 9.0.95, 10.1.0-M1 through 10.1.30, and 11.0.0-M1 through 11.0.0-... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14		CVE-2024-56337	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.36	details Recommended version: 10.1.49.redhat-00011 Description: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. Users running Tomcat on a case insensitive file system with the ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
15		CVE-2025-24813	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.36	details Recommended version: 10.1.49.redhat-00011 Description: Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution (RCE) and/or Information disclosure and/or malicious content added to... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
16		CVE-2025-31651	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.36	details Recommended version: 10.1.49.redhat-00011 Description: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability was found within Apache Tomcat. For a subset of unlikely rewrite rule c... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17		CVE-2026-40974	Maven-org.springframework.boot:spring-boot-autoconfigure-2.3.1.RELEASE	details Recommended version: 3.5.14 Description: Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spri... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18		CVE-2026-41293	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.36	details Recommended version: 10.1.49.redhat-00011 Description: Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19		CVE-2026-43512	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.36	details Recommended version: 10.1.49.redhat-00011 Description: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20		CVE-2026-43515	Maven-org.apache.tomcat.embed:tomcat-embed-core-9.0.36	details Recommended version: 10.1.49.redhat-00011 Description: Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue aff... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		Command_Injection	app/src/main/java/com/veracode/verademo/controller/ToolsController.java: 34	details The application's method calls an OS (shell) command with exec, at line 83 of /app/src/main/java/com/veracode/verademo/controller/ToolsControlle... Attack Vector
22		Command_Injection	app/src/main/java/com/veracode/verademo/controller/ToolsController.java: 34	details The application's method calls an OS (shell) command with exec, at line 53 of /app/src/main/java/com/veracode/verademo/controller/ToolsControlle... Attack Vector
23		SQL_Injection	app/src/main/java/com/veracode/verademo/utils/UserFactory.java: 37	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.java.... Attack Vector
24		SQL_Injection	app/src/main/java/com/veracode/verademo/utils/UserFactory.java: 37	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java.... Attack Vector
25		SQL_Injection	app/src/main/java/com/veracode/verademo/utils/UserFactory.java: 37	details The application's method executes an SQL query with executeQuery, at line 505 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
26		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 542	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.java.... Attack Vector
27		SQL_Injection	app/src/main/java/com/veracode/verademo/utils/UserFactory.java: 37	details The application's method executes an SQL query with executeQuery, at line 494 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
28		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 510	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.java.... Attack Vector
29		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 510	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java.... Attack Vector
30		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 352	details The application's method executes an SQL query with execute, at line 389 of /app/src/main/java/com/veracode/verademo/controller/UserController.ja... Attack Vector
31		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 512	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java.... Attack Vector
32		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 512	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.java.... Attack Vector
33		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 348	details The application's method executes an SQL query with execute, at line 389 of /app/src/main/java/com/veracode/verademo/controller/UserController.ja... Attack Vector
34		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 542	details The application's method executes an SQL query with execute, at line 389 of /app/src/main/java/com/veracode/verademo/controller/UserController.ja... Attack Vector
35		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 427	details The application's method executes an SQL query with executeQuery, at line 467 of /app/src/main/java/com/veracode/verademo/controller/BlabControlle... Attack Vector
36		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 542	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java.... Attack Vector
37		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 542	details The application's method executes an SQL query with executeQuery, at line 505 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
38		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 542	details The application's method executes an SQL query with executeQuery, at line 494 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
39		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 450	details The application's method executes an SQL query with executeQuery, at line 505 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
40		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 450	details The application's method executes an SQL query with executeQuery, at line 494 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
41		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 350	details The application's method executes an SQL query with execute, at line 389 of /app/src/main/java/com/veracode/verademo/controller/UserController.ja... Attack Vector
42		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 351	details The application's method executes an SQL query with execute, at line 389 of /app/src/main/java/com/veracode/verademo/controller/UserController.ja... Attack Vector
43		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 509	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.java.... Attack Vector
44		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 509	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java.... Attack Vector
45		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 509	details The application's method executes an SQL query with execute, at line 53 of /app/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand... Attack Vector
46		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 509	details The application's method executes an SQL query with execute, at line 49 of /app/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand... Attack Vector
47		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 509	details The application's method executes an SQL query with executeQuery, at line 42 of /app/src/main/java/com/veracode/verademo/commands/RemoveAccountCom... Attack Vector
48		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 509	details The application's method executes an SQL query with executeQuery, at line 40 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.j... Attack Vector
49		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/BlabController.java: 509	details The application's method executes an SQL query with executeQuery, at line 40 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.j... Attack Vector
50		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 249	details The application's method executes an SQL query with executeQuery, at line 264 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
51		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 310	details The application's method executes an SQL query with execute, at line 389 of /app/src/main/java/com/veracode/verademo/controller/UserController.ja... Attack Vector
52		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 310	details The application's method executes an SQL query with executeQuery, at line 494 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
53		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 129	details The application's method executes an SQL query with executeQuery, at line 168 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
54		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 310	details The application's method executes an SQL query with executeQuery, at line 505 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
55		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 310	details The application's method executes an SQL query with executeQuery, at line 325 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
56		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 310	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java.... Attack Vector
57		SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 310	details The application's method executes an SQL query with execute, at line 47 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.java.... Attack Vector
58		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/utils/UserFactory.java: 43	details The application's method executes an SQL query with sqlQuery, at line 47 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.java... Attack Vector
59		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/utils/UserFactory.java: 43	details The application's method executes an SQL query with sqlQuery, at line 47 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java... Attack Vector
60		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/utils/UserFactory.java: 43	details The application's method executes an SQL query with executeQuery, at line 505 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
61		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/utils/UserFactory.java: 43	details The application's method executes an SQL query with sqlMyEvents, at line 494 of /app/src/main/java/com/veracode/verademo/controller/UserController... Attack Vector
62		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 168	details The application's method executes an SQL query with toString, at line 389 of /app/src/main/java/com/veracode/verademo/controller/UserController.j... Attack Vector
63		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 168	details The application's method executes an SQL query with sqlQuery, at line 47 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.java... Attack Vector
64		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 168	details The application's method executes an SQL query with sqlQuery, at line 47 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java... Attack Vector
65		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand.java: 42	details The application's method executes an SQL query with sqlQuery, at line 49 of /app/src/main/java/com/veracode/verademo/commands/RemoveAccountCommand... Attack Vector
66		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/commands/ListenCommand.java: 40	details The application's method executes an SQL query with sqlQuery, at line 47 of /app/src/main/java/com/veracode/verademo/commands/ListenCommand.java... Attack Vector
67		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java: 40	details The application's method executes an SQL query with sqlQuery, at line 47 of /app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java... Attack Vector
68		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 168	details The application's method executes an SQL query with sqlMyEvents, at line 494 of /app/src/main/java/com/veracode/verademo/controller/UserController... Attack Vector
69		Second_Order_SQL_Injection	app/src/main/java/com/veracode/verademo/controller/UserController.java: 168	details The application's method executes an SQL query with executeQuery, at line 505 of /app/src/main/java/com/veracode/verademo/controller/UserControlle... Attack Vector
70		Stored_XSS	app/src/main/java/com/veracode/verademo/controller/UserController.java: 475	details The method embeds untrusted data in generated output with getAttribute, at line 110 of /app/src/main/webapp/WEB-INF/views/profile.jsp. This unt... Attack Vector
71		Stored_XSS	app/src/main/java/com/veracode/verademo/controller/UserController.java: 475	details The method embeds untrusted data in generated output with getAttribute, at line 119 of /app/src/main/webapp/WEB-INF/views/profile.jsp. This unt... Attack Vector

More results are available on the CxOne platform

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR