search

Javen205 / IJPay

IJPay 让支付触手可及,封装了微信支付、QQ支付、支付宝支付、京东支付、银联支付、PayPal 支付等常用的支付方式以及各种常用的接口。不依赖任何第三方 mvc 框架,仅仅作为工具使用简单快速完成支付模块的开发,可轻松嵌入到任何系统里。右上角点下小星星✨
http://javen205.gitee.io/ijpay
Apache License 2.0
5.51k stars 1.35k forks source link

提供可传递的易受攻击的依赖项 #66

Closed jidaojiuyou closed 11 months ago

jidaojiuyou commented 1 year ago

版本信息

报错信息 (注意格式化)

问题描述(包括回显步骤、截图 )

支付宝支付的依赖提供了有漏洞的依赖dom4j:dom4j:1.6.1org.bouncycastle:bcprov-jdk15on:1.62。依赖包含数个安全漏洞。

CVE-2020-10683 9.8 Improper Restriction of XML External Entity Reference vulnerability pending CVSS allocation
CVE-2018-1000632 7.5 XML Injection (aka Blind XPath Injection) vulnerability pending CVSS allocation
CVE-2020-10683 9.8 Improper Restriction of XML External Entity Reference vulnerability pending CVSS allocation
CVE-2018-1000632 7.5 XML Injection (aka Blind XPath Injection) vulnerability pending CVSS allocation
CVE-2019-17359 7.5 Allocation of Resources Without Limits or Throttling vulnerability pending CVSS allocation
CVE-2020-15522 5.9 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability pending CVSS allocation
Cxa9261daf-3755 9.8 Vulnerability with high severity found

建议使用新的依赖。org.dom4j:dom4j:2.1.4org.bouncycastle:bcprov-jdk15on:1.69

预期效果描述

使用新版本的dom4j

交流群

Javen205 commented 11 months ago

已处理过,感谢反馈