[Snyk-dev] Fix for 72 vulnerabilities

[schottsfired]

Snyk has created this PR to fix 72 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• todolist-goof/todolist-web-common/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Deserialization of Untrusted Data SNYK-JAVA-COMMONSCOLLECTIONS-30078	790	commons-collections:commons-collections: 3.1 -> 3.2.2 No Path Found Mature
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-467015	675	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Mature
	Deserialization of Untrusted Data SNYK-JAVA-COMMONSCOLLECTIONS-472711	655	commons-collections:commons-collections: 3.1 -> 3.2.2 Reachable Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1054588	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056416	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056418	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056420	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056421	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056426	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056427	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-174736	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-31507	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-32043	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-450207	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-548451	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-559094	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-559106	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-560762	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-561585	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-608664	630	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-450917	595	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found Mature
	Improper Input Validation SNYK-JAVA-ORGHIBERNATE-568162	565	org.hibernate:hibernate-validator: 4.3.1.Final -> 6.0.19.Final Major version upgrade Reachable No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1009829	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1047324	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056414	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056417	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056419	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056424	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1056425	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-467016	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-560766	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-561362	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-561373	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-561586	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-561587	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-564887	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-564888	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-570625	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-572300	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-572314	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-572316	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72445	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72446	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72447	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72448	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72449	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72450	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72451	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72882	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72883	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-72884	563	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	XML External Entity (XXE) Injection SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302	560	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052449	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1052450	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-1061931	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-31573	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-32044	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-32111	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-455617	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-467014	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-469674	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-469676	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-471943	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-472980	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Deserialization of Untrusted Data SNYK-JAVA-COMFASTERXMLJACKSONCORE-540500	555	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244	525	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Cross-site Scripting (XSS) SNYK-JAVA-ORGHIBERNATE-569100	483	org.hibernate:hibernate-validator: 4.3.1.Final -> 6.0.19.Final Major version upgrade No Path Found No Known Exploit
	Cross-site Scripting (XSS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-12009535	420	com.fasterxml.jackson.core:jackson-core: 2.6.5 -> 2.12.6 com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Cross-site Scripting (XSS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-12010004	420	com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-31519	415	com.fasterxml.jackson.core:jackson-core: 2.6.5 -> 2.12.6 com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	Denial of Service (DoS) SNYK-JAVA-COMFASTERXMLJACKSONCORE-31520	415	com.fasterxml.jackson.core:jackson-core: 2.6.5 -> 2.12.6 com.fasterxml.jackson.core:jackson-databind: 2.6.5 -> 2.12.6.1 No Path Found No Known Exploit
	JSM bypass via ReflectionHelper SNYK-JAVA-ORGHIBERNATE-30098	415	org.hibernate:hibernate-validator: 4.3.1.Final -> 6.0.19.Final No Path Found No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Deserialization of Untrusted Data
🦉 XML External Entity (XXE) Injection
🦉 Cross-site Scripting (XSS)
🦉 More lessons are available in Snyk Learn

[amazon-inspector-n-virginia]

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

[schottsfired]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[amazon-inspector-n-virginia]

Description: In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Relevant link: GHSA-rgv9-q543-rqg4

Severity: High

[amazon-inspector-n-virginia]

Description: Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.

Relevant link: GHSA-7v6m-28jr-rg84

Severity: High

[amazon-inspector-n-virginia]

Description: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Relevant link: GHSA-h46c-h94j-95f3

Severity: High

[amazon-inspector-n-virginia]

Description: In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.

Relevant link: GHSA-jjjh-jjxp-wpff

Severity: High

[amazon-inspector-n-virginia]

✅ I finished the code review, and left comments with the issues I found.