151376liujie / wechat-core

基于Java的轻量级微信公众号消息处理框架,使业务代码与微信消息处理框架代码解耦,并采用注解来简化开发!!!也算是本项目的一个小亮点吧!!
Apache License 2.0
109 stars 69 forks source link

Dependency com.thoughtworks.xstream:xstream, leading to CVE problem #21

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In wechat-core,there is a dependency com.thoughtworks.xstream:xstream:1.4.8 that calls the risk method.

CVE-2021-29505

The scope of this CVE affected version is [,1.4.17)

After further analysis, in this project, the main Api called is <com.thoughtworks.xstream.XStream: void setupSecurity()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 9

<com.thoughtworks.xstream.XStream: void setupSecurity()>
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.io.HierarchicalStreamDriver,com.thoughtworks.xstream.core.ClassLoaderReference,com.thoughtworks.xstream.mapper.Mapper,com.thoughtworks.xstream.converters.ConverterLookup,com.thoughtworks.xstream.converters.ConverterRegistry)> (com.thoughtworks.xstream.XStream.java:[571]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.io.HierarchicalStreamDriver,com.thoughtworks.xstream.core.ClassLoaderReference,com.thoughtworks.xstream.mapper.Mapper,com.thoughtworks.xstream.core.DefaultConverterLookup)> (com.thoughtworks.xstream.XStream.java:[496]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.io.HierarchicalStreamDriver,java.lang.ClassLoader,com.thoughtworks.xstream.mapper.Mapper)> (com.thoughtworks.xstream.XStream.java:[465]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.converters.reflection.ReflectionProvider,com.thoughtworks.xstream.mapper.Mapper,com.thoughtworks.xstream.io.HierarchicalStreamDriver)> (com.thoughtworks.xstream.XStream.java:[411]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.thoughtworks.xstream.XStream: void <init>(com.thoughtworks.xstream.io.HierarchicalStreamDriver)> (com.thoughtworks.xstream.XStream.java:[378]) in /.m2/repository/com/thoughtworks/xstream/xstream/1.4.8/xstream-1.4.8.jar
at <com.jonnyliu.proj.wechat.utils.MessageUtils: com.thoughtworks.xstream.XStream newXStreamInstance()> (com.jonnyliu.proj.wechat.utils.MessageUtils.java:[50]) in /detect/unzip/wechat-core-master/target/classes
at <com.jonnyliu.proj.wechat.utils.MessageUtils: java.lang.Object xml2Message(java.lang.String,java.lang.Class)> (com.jonnyliu.proj.wechat.utils.MessageUtils.java:[289]) in /detect/unzip/wechat-core-master/target/classes

Dependency tree--

[INFO] com.jonnyliu.proj.wechat:wechat-core:war:1.0-SNAPSHOT
[INFO] +- org.springframework:spring-core:jar:4.3.18.RELEASE:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.springframework:spring-beans:jar:4.3.18.RELEASE:compile
[INFO] +- org.springframework:spring-context:jar:4.3.18.RELEASE:compile
[INFO] +- org.springframework:spring-context-support:jar:4.3.18.RELEASE:compile
[INFO] +- org.springframework:spring-expression:jar:4.3.18.RELEASE:compile
[INFO] +- org.springframework:spring-aop:jar:4.3.18.RELEASE:compile
[INFO] +- org.springframework:spring-web:jar:4.3.18.RELEASE:compile
[INFO] +- org.springframework:spring-webmvc:jar:4.3.18.RELEASE:compile
[INFO] +- org.springframework.data:spring-data-redis:jar:1.7.0.RELEASE:compile
[INFO] |  +- org.springframework.data:spring-data-keyvalue:jar:1.1.0.RELEASE:compile
[INFO] |  |  \- org.springframework.data:spring-data-commons:jar:1.12.0.RELEASE:compile
[INFO] |  +- org.springframework:spring-tx:jar:4.2.5.RELEASE:compile
[INFO] |  +- org.springframework:spring-oxm:jar:4.2.5.RELEASE:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.19:compile
[INFO] |  \- org.slf4j:jcl-over-slf4j:jar:1.7.19:runtime
[INFO] +- redis.clients:jedis:jar:2.8.1:compile
[INFO] |  \- org.apache.commons:commons-pool2:jar:2.4.2:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] +- commons-io:commons-io:jar:1.3.2:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.2:compile
[INFO] |  \- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] +- dom4j:dom4j:jar:1.6.1:compile
[INFO] |  \- xml-apis:xml-apis:jar:1.0.b2:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.8:compile
[INFO] |  +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.jsoup:jsoup:jar:1.9.2:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.6.1:compile
[INFO] |  \- log4j:log4j:jar:1.2.16:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
[INFO] +- javax.servlet:jstl:jar:1.2:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.4:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.11.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.10:compile
[INFO] +- com.google.guava:guava:jar:19.0:compile
[INFO] +- org.projectlombok:lombok:jar:1.16.16:provided
[INFO] \- org.springframework:springloaded:jar:1.2.5.RELEASE:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@151376liujie Could please help me check this issue? May I pull a request to fix it? Thanks again.