Fix privilege container

log4shell-goof/log4shell-client/pom.xml

@@ -23,7 +23,7 @@
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-slf4j-impl</artifactId>
-      <version>2.14.1</version>
+      <version>2.17.1</version>
     </dependency>
 <!--    <dependency>-->
 <!--      <groupId>org.apache.logging.log4j</groupId>-->

log4shell-goof/log4shell-server/Dockerfile

@@ -3,7 +3,7 @@ COPY pom.xml pom.xml
 COPY src src
 RUN --mount=target=$HOME/.m2,type=cache mvn clean package
 
-FROM openjdk:8 as ldap
+FROM openjdk:25 as ldap
 COPY --from=build target/log4shell-server-*-jar-with-dependencies.jar /server.jar
 EXPOSE 8000
 EXPOSE 9999

log4shell-goof/log4shell-server/pom.xml

@@ -20,22 +20,22 @@
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-core</artifactId>
-      <version>2.15.0</version>
+      <version>2.17.1</version>
     </dependency>
     <dependency>
       <groupId>com.unboundid</groupId>
       <artifactId>unboundid-ldapsdk</artifactId>
-      <version>3.1.1</version>
+      <version>4.0.5</version>
     </dependency>
     <dependency>
       <groupId>io.undertow</groupId>
       <artifactId>undertow-core</artifactId>
-      <version>2.2.13.Final</version>
+      <version>2.2.37.Final</version>
     </dependency>
     <dependency>
       <groupId>commons-collections</groupId>
       <artifactId>commons-collections</artifactId>
-      <version>3.1</version>
+      <version>3.2.2</version>
     </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>

todolist-goof/Dockerfile

@@ -10,7 +10,7 @@ COPY todolist-web-common todolist-web-common
 COPY todolist-web-struts todolist-web-struts
 RUN --mount=target=$HOME/.m2,type=cache mvn install
 
-FROM tomcat:8.5.21
+FROM tomcat:11.0.6
 
 RUN mkdir /tmp/extracted_files
 COPY web.xml /usr/local/tomcat/conf/web.xml

todolist-goof/exploits/tomcat-rce/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3
+FROM python:3.14-rc-alpine3.20
 RUN pip install requests
 
 COPY exploit.py /exploit.py

todolist-goof/k8s/calico.yaml

@@ -4106,7 +4106,7 @@ spec:
             - mountPath: /host/opt/cni/bin
               name: cni-bin-dir
           securityContext:
-            privileged: true
+            privileged: false
         # This container installs the CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
@@ -4147,7 +4147,7 @@ spec:
             - mountPath: /host/etc/cni/net.d
               name: cni-net-dir
           securityContext:
-            privileged: true
+            privileged: false
         # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes
         # to communicate with Felix over the Policy Sync API.
         - name: flexvol-driver
@@ -4156,7 +4156,7 @@ spec:
           - name: flexvol-driver-host
             mountPath: /host/driver
           securityContext:
-            privileged: true
+            privileged: false
       containers:
         # Runs calico-node container on each Kubernetes node. This
         # container programs network policy and routes on each
@@ -4233,7 +4233,7 @@ spec:
             - name: FELIX_HEALTHENABLED
               value: "true"
           securityContext:
-            privileged: true
+            privileged: false
           resources:
             requests:
               cpu: 250m

todolist-goof/pom.xml

@@ -10,10 +10,10 @@
     <url>https://github.com/snyk/java-goof</url>
 
     <properties>
-        <spring.version>3.2.6.RELEASE</spring.version>
-        <hibernate.version>4.3.7.Final</hibernate.version>
+        <spring.version>6.1.14</spring.version>
+        <hibernate.version>5.4.24.Final</hibernate.version>
         <tapestry.version>5.3.8</tapestry.version>
-        <struts2.version>2.3.20</struts2.version>
+        <struts2.version>7.0.0</struts2.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     </properties>
 

todolist-goof/todolist-core/pom.xml

@@ -59,7 +59,7 @@
         <dependency>
             <groupId>org.hsqldb</groupId>
             <artifactId>hsqldb</artifactId>
-            <version>2.3.2</version>
+            <version>2.7.1</version>
         </dependency>
 
         <dependency>

todolist-goof/todolist-web-common/pom.xml

@@ -21,12 +21,12 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
-            <version>2.6.5</version>
+            <version>2.15.0</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.6.5</version>
+            <version>2.15.0</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
@@ -59,7 +59,7 @@
         <dependency>
             <groupId>org.hibernate</groupId>
             <artifactId>hibernate-validator</artifactId>
-            <version>4.3.1.Final</version>
+            <version>6.0.23.Final</version>
         </dependency>
 
         <!--vulnerable commons collections (deserialization) -->

todolist-goof/todolist-web-struts/pom.xml

@@ -27,7 +27,7 @@
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>2.7</version>
+            <version>2.17.1</version>
         </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
@@ -90,7 +90,7 @@
         <dependency>
             <groupId>org.zeroturnaround</groupId>
             <artifactId>zt-zip</artifactId>
-            <version>1.12</version>
+            <version>1.13</version>
             <type>jar</type>
         </dependency>
     </dependencies>