search

JoyChou93 / java-sec-code

Java web common vulnerabilities and security code which is base on springboot and spring security
2.42k stars 645 forks source link

Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem #63

Closed CVEDetect closed 1 year ago

CVEDetect commented 1 year ago

Hi,,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.11 that calls the risk method.

CVE-2019-17563

The scope of this CVE affected version is [9.0.0.M1, 9.0.30),[8.5.0,8.5.50),[,7.0.99)

After further analysis, in this project, the main Api called is org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

org.joychou.controller.Index: appInfo(javax.servlet.http.HttpServletRequest)Ljava.lang.String; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.connector.Request: getUserPrincipal()Ljava.security.Principal; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.connector.Request: logout() .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: logout(org.apache.catalina.connector.Request) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String) .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)

Dependency tree--

[INFO] sec:java-sec-code:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile
[INFO] |  |     +- ch.qos.logback:logback-classic:jar:1.1.9:compile
[INFO] |  |     |  \- ch.qos.logback:logback-core:jar:1.1.9:compile
[INFO] |  |     +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile
[INFO] |  |     +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile
[INFO] |  |     \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile
[INFO] |  +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile
[INFO] |  +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] |  |  \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] |  |     +- ognl:ognl:jar:3.0.8:compile
[INFO] |  |     +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  |     \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] |  \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] |     \- org.codehaus.groovy:groovy:jar:2.4.7:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile
[INFO] |  \- com.google.protobuf:protobuf-java:jar:2.6.0:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.24:compile
[INFO] +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] +- org.dom4j:dom4j:jar:2.1.0:compile
[INFO] |  \- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- com.google.guava:guava:jar:23.0:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] |  +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] +- commons-collections:commons-collections:jar:3.1:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile
[INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile
[INFO] |  \- com.squareup.okio:okio:jar:1.6.0:compile
[INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile
[INFO] |  \- cglib:cglib:jar:2.2.2:compile
[INFO] |     \- asm:asm:jar:3.3.1:compile
[INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile
[INFO] |  \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile
[INFO] |  \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile
[INFO] |  |  \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile
[INFO] |  |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile
[INFO] |  |        \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile
[INFO] |  +- com.netflix.eureka:eureka-client:jar:1.4.11:compile
[INFO] |  |  +- org.codehaus.jettison:jettison:jar:1.3.7:runtime
[INFO] |  |  |  \- stax:stax-api:jar:1.0.1:compile
[INFO] |  |  +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime
[INFO] |  |  |  +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] |  |  |  |  +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] |  |  |  |  +- joda-time:joda-time:jar:2.9.7:runtime
[INFO] |  |  |  |  +- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] |  |  |  |  |  +- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] |  |  |  |  |  \- antlr:antlr:jar:2.7.7:runtime
[INFO] |  |  |  |  \- com.google.code.gson:gson:jar:2.8.0:runtime
[INFO] |  |  |  \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] |  |  +- com.netflix.archaius:archaius-core:jar:0.7.4:compile
[INFO] |  |  +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime
[INFO] |  |  +- com.netflix.servo:servo-core:jar:0.10.1:runtime
[INFO] |  |  |  \- com.netflix.servo:servo-internal:jar:0.10.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-core:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey:jersey-client:jar:1.19.1:runtime
[INFO] |  |  +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime
[INFO] |  |  +- com.google.inject:guice:jar:4.0:runtime
[INFO] |  |  |  \- javax.inject:javax.inject:jar:1:runtime
[INFO] |  |  \- com.netflix.governator:governator-api:jar:1.12.10:runtime
[INFO] |  +- com.netflix.eureka:eureka-core:jar:1.4.11:compile
[INFO] |  |  +- com.netflix.governator:governator:jar:1.12.10:runtime
[INFO] |  |  |  +- com.netflix.governator:governator-core:jar:1.12.10:runtime
[INFO] |  |  |  |  +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime
[INFO] |  |  |  |  \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime
[INFO] |  |  |  |     \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime
[INFO] |  |  |  \- org.ow2.asm:asm:jar:5.0.4:runtime
[INFO] |  |  \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime
[INFO] |  |     +- javax.xml.stream:stax-api:jar:1.0-2:runtime
[INFO] |  |     \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile
[INFO] |  |  \- commons-configuration:commons-configuration:jar:1.8:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile
[INFO] |  |  +- com.netflix.ribbon:ribbon:jar:2.2.0:compile
[INFO] |  |  |  +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime
[INFO] |  |  |  |  +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime
[INFO] |  |  |  |  \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime
[INFO] |  |  |  +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime
[INFO] |  |  |  |  \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime
[INFO] |  |  |  \- io.reactivex:rxnetty:jar:0.4.9:runtime
[INFO] |  |  |     +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime
[INFO] |  |  |     |  +- io.netty:netty-codec:jar:4.0.27.Final:runtime
[INFO] |  |  |     |  \- io.netty:netty-handler:jar:4.0.27.Final:runtime
[INFO] |  |  |     \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime
[INFO] |  |  |        +- io.netty:netty-common:jar:4.0.27.Final:runtime
[INFO] |  |  |        +- io.netty:netty-buffer:jar:4.0.27.Final:runtime
[INFO] |  |  |        \- io.netty:netty-transport:jar:4.0.27.Final:runtime
[INFO] |  |  +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile
[INFO] |  |  +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile
[INFO] |  |  |  \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime
[INFO] |  |  +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile
[INFO] |  |  |  \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime
[INFO] |  |  \- io.reactivex:rxjava:jar:1.1.10:compile
[INFO] |  \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile
[INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile
[INFO] |  +- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile
[INFO] |  \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile
[INFO] |  \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile
[INFO] +- commons-net:commons-net:jar:3.6:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile
[INFO] |  |  |  \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile
[INFO] |  |     \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile
[INFO] |  +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile
[INFO] |  +- org.mybatis:mybatis:jar:3.4.6:compile
[INFO] |  \- org.mybatis:mybatis-spring:jar:1.3.2:compile
[INFO] +- org.apache.velocity:velocity:jar:1.7:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile
[INFO] |  +- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] |  +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] |  |  \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] |  \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile
[INFO] |  +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile
[INFO] |  |  +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile
[INFO] |  |  |  +- edu.princeton.cup:java-cup:jar:10k:compile
[INFO] |  |  |  \- com.ibm.icu:icu4j:jar:4.6:compile
[INFO] |  |  \- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] |  +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.22:compile
[INFO] +- org.jsoup:jsoup:jar:1.10.2:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile
[INFO] |  \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile
[INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile
[INFO] |  +- io.swagger:swagger-annotations:jar:1.5.20:compile
[INFO] |  +- io.swagger:swagger-models:jar:1.5.20:compile
[INFO] |  +- io.springfox:springfox-spi:jar:2.9.2:compile
[INFO] |  |  \- io.springfox:springfox-core:jar:2.9.2:compile
[INFO] |  |     \- net.bytebuddy:byte-buddy:jar:1.8.12:compile
[INFO] |  +- io.springfox:springfox-schema:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-swagger-common:jar:2.9.2:compile
[INFO] |  +- io.springfox:springfox-spring-web:jar:2.9.2:compile
[INFO] |  +- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] |  +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile
[INFO] |  \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile
[INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.16:provided
[INFO] +- org.yaml:snakeyaml:jar:1.21:compile
[INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile
[INFO] \- com.auth0:java-jwt:jar:4.0.0:compile

Suggested solutions:

Update dependency version

Thank you very much.