Closed CVEDetect closed 1 year ago
Hi,there is a dependency org.apache.httpcomponents:httpclient:4.5.12 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
org.joychou.util.HttpUtils: httpClient(java.lang.String)Ljava.lang.String; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;
Dependency tree--
[INFO] sec:java-sec-code:jar:1.0.0 [INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.1.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter:jar:1.5.1.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot:jar:1.5.1.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.1.RELEASE:compile [INFO] | | \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.1.RELEASE:compile [INFO] | | +- ch.qos.logback:logback-classic:jar:1.1.9:compile [INFO] | | | \- ch.qos.logback:logback-core:jar:1.1.9:compile [INFO] | | +- org.slf4j:jcl-over-slf4j:jar:1.7.22:compile [INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.22:compile [INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.22:compile [INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.1.RELEASE:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.11:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.11:compile [INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.11:compile [INFO] | +- org.hibernate:hibernate-validator:jar:5.3.4.Final:compile [INFO] | | +- javax.validation:validation-api:jar:1.1.0.Final:compile [INFO] | | \- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.6:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile [INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.8.6:compile [INFO] | +- org.springframework:spring-web:jar:4.3.6.RELEASE:compile [INFO] | \- org.springframework:spring-webmvc:jar:4.3.6.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.1.RELEASE:compile [INFO] | +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile [INFO] | | \- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile [INFO] | | +- ognl:ognl:jar:3.0.8:compile [INFO] | | +- org.javassist:javassist:jar:3.21.0-GA:compile [INFO] | | \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile [INFO] | \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile [INFO] | \- org.codehaus.groovy:groovy:jar:2.4.7:compile [INFO] +- mysql:mysql-connector-java:jar:8.0.12:compile [INFO] | \- com.google.protobuf:protobuf-java:jar:2.6.0:compile [INFO] +- com.alibaba:fastjson:jar:1.2.24:compile [INFO] +- org.jdom:jdom2:jar:2.0.6:compile [INFO] +- org.dom4j:dom4j:jar:2.1.0:compile [INFO] | \- jaxen:jaxen:jar:1.1.6:compile [INFO] +- com.google.guava:guava:jar:23.0:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile [INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile [INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile [INFO] +- commons-collections:commons-collections:jar:3.1:compile [INFO] +- commons-lang:commons-lang:jar:2.4:compile [INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile [INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile [INFO] | \- commons-codec:commons-codec:jar:1.10:compile [INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.3.6:compile [INFO] | \- commons-logging:commons-logging:jar:1.1.3:compile [INFO] +- org.apache.logging.log4j:log4j-core:jar:2.9.1:compile [INFO] +- org.apache.logging.log4j:log4j-api:jar:2.9.1:compile [INFO] +- com.squareup.okhttp:okhttp:jar:2.5.0:compile [INFO] | \- com.squareup.okio:okio:jar:1.6.0:compile [INFO] +- org.apache.commons:commons-digester3:jar:3.2:compile [INFO] | \- cglib:cglib:jar:2.2.2:compile [INFO] | \- asm:asm:jar:3.3.1:compile [INFO] +- org.jolokia:jolokia-core:jar:1.6.0:compile [INFO] | \- com.googlecode.json-simple:json-simple:jar:1.1.1:compile [INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:1.5.1.RELEASE:compile [INFO] | \- org.springframework.boot:spring-boot-actuator:jar:1.5.1.RELEASE:compile [INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:1.4.0.RELEASE:compile [INFO] | +- org.springframework.cloud:spring-cloud-starter:jar:1.1.3.RELEASE:compile [INFO] | | +- org.springframework.cloud:spring-cloud-context:jar:1.1.3.RELEASE:compile [INFO] | | | \- org.springframework.security:spring-security-crypto:jar:4.2.1.RELEASE:compile [INFO] | | +- org.springframework.cloud:spring-cloud-commons:jar:1.1.3.RELEASE:compile [INFO] | | \- org.springframework.security:spring-security-rsa:jar:1.0.3.RELEASE:compile [INFO] | | \- org.bouncycastle:bcpkix-jdk15on:jar:1.55:compile [INFO] | | \- org.bouncycastle:bcprov-jdk15on:jar:1.55:compile [INFO] | +- org.springframework.cloud:spring-cloud-netflix-core:jar:1.2.0.RELEASE:compile [INFO] | +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:1.2.0.RELEASE:compile [INFO] | +- com.netflix.eureka:eureka-client:jar:1.4.11:compile [INFO] | | +- org.codehaus.jettison:jettison:jar:1.3.7:runtime [INFO] | | | \- stax:stax-api:jar:1.0.1:compile [INFO] | | +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:runtime [INFO] | | | +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime [INFO] | | | | +- commons-jxpath:commons-jxpath:jar:1.3:runtime [INFO] | | | | +- joda-time:joda-time:jar:2.9.7:runtime [INFO] | | | | +- org.antlr:antlr-runtime:jar:3.4:runtime [INFO] | | | | | +- org.antlr:stringtemplate:jar:3.2.1:runtime [INFO] | | | | | \- antlr:antlr:jar:2.7.7:runtime [INFO] | | | | \- com.google.code.gson:gson:jar:2.8.0:runtime [INFO] | | | \- org.apache.commons:commons-math:jar:2.2:runtime [INFO] | | +- com.netflix.archaius:archaius-core:jar:0.7.4:compile [INFO] | | +- javax.ws.rs:jsr311-api:jar:1.1.1:runtime [INFO] | | +- com.netflix.servo:servo-core:jar:0.10.1:runtime [INFO] | | | \- com.netflix.servo:servo-internal:jar:0.10.1:runtime [INFO] | | +- com.sun.jersey:jersey-core:jar:1.19.1:runtime [INFO] | | +- com.sun.jersey:jersey-client:jar:1.19.1:runtime [INFO] | | +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:runtime [INFO] | | +- com.google.inject:guice:jar:4.0:runtime [INFO] | | | \- javax.inject:javax.inject:jar:1:runtime [INFO] | | \- com.netflix.governator:governator-api:jar:1.12.10:runtime [INFO] | +- com.netflix.eureka:eureka-core:jar:1.4.11:compile [INFO] | | +- com.netflix.governator:governator:jar:1.12.10:runtime [INFO] | | | +- com.netflix.governator:governator-core:jar:1.12.10:runtime [INFO] | | | | +- com.google.inject.extensions:guice-multibindings:jar:4.0:runtime [INFO] | | | | \- com.google.inject.extensions:guice-grapher:jar:4.0:runtime [INFO] | | | | \- com.google.inject.extensions:guice-assistedinject:jar:4.0:runtime [INFO] | | | \- org.ow2.asm:asm:jar:5.0.4:runtime [INFO] | | \- org.codehaus.woodstox:woodstox-core-asl:jar:4.4.1:runtime [INFO] | | +- javax.xml.stream:stax-api:jar:1.0-2:runtime [INFO] | | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:runtime [INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-archaius:jar:1.4.0.RELEASE:compile [INFO] | | \- commons-configuration:commons-configuration:jar:1.8:compile [INFO] | +- org.springframework.cloud:spring-cloud-starter-netflix-ribbon:jar:1.4.0.RELEASE:compile [INFO] | | +- com.netflix.ribbon:ribbon:jar:2.2.0:compile [INFO] | | | +- com.netflix.ribbon:ribbon-transport:jar:2.2.0:runtime [INFO] | | | | +- io.reactivex:rxnetty-contexts:jar:0.4.9:runtime [INFO] | | | | \- io.reactivex:rxnetty-servo:jar:0.4.9:runtime [INFO] | | | +- com.netflix.hystrix:hystrix-core:jar:1.5.5:runtime [INFO] | | | | \- org.hdrhistogram:HdrHistogram:jar:2.1.9:runtime [INFO] | | | \- io.reactivex:rxnetty:jar:0.4.9:runtime [INFO] | | | +- io.netty:netty-codec-http:jar:4.0.27.Final:runtime [INFO] | | | | +- io.netty:netty-codec:jar:4.0.27.Final:runtime [INFO] | | | | \- io.netty:netty-handler:jar:4.0.27.Final:runtime [INFO] | | | \- io.netty:netty-transport-native-epoll:jar:4.0.27.Final:runtime [INFO] | | | +- io.netty:netty-common:jar:4.0.27.Final:runtime [INFO] | | | +- io.netty:netty-buffer:jar:4.0.27.Final:runtime [INFO] | | | \- io.netty:netty-transport:jar:4.0.27.Final:runtime [INFO] | | +- com.netflix.ribbon:ribbon-core:jar:2.2.0:compile [INFO] | | +- com.netflix.ribbon:ribbon-httpclient:jar:2.2.0:compile [INFO] | | | \- com.netflix.netflix-commons:netflix-commons-util:jar:0.1.1:runtime [INFO] | | +- com.netflix.ribbon:ribbon-loadbalancer:jar:2.2.0:compile [INFO] | | | \- com.netflix.netflix-commons:netflix-statistics:jar:0.1.1:runtime [INFO] | | \- io.reactivex:rxjava:jar:1.1.10:compile [INFO] | \- com.netflix.ribbon:ribbon-eureka:jar:2.2.0:compile [INFO] +- com.fasterxml.uuid:java-uuid-generator:jar:3.1.4:compile [INFO] +- org.springframework.security:spring-security-web:jar:4.2.12.RELEASE:compile [INFO] | +- aopalliance:aopalliance:jar:1.0:compile [INFO] | +- org.springframework.security:spring-security-core:jar:4.2.1.RELEASE:compile [INFO] | +- org.springframework:spring-beans:jar:4.3.6.RELEASE:compile [INFO] | +- org.springframework:spring-context:jar:4.3.6.RELEASE:compile [INFO] | +- org.springframework:spring-core:jar:4.3.6.RELEASE:compile [INFO] | \- org.springframework:spring-expression:jar:4.3.6.RELEASE:compile [INFO] +- org.springframework.security:spring-security-config:jar:4.2.12.RELEASE:compile [INFO] | \- org.springframework:spring-aop:jar:4.3.6.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.5.RELEASE:compile [INFO] +- commons-net:commons-net:jar:3.6:compile [INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile [INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.2:compile [INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.1.RELEASE:compile [INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.11:compile [INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.11:compile [INFO] | | \- org.springframework:spring-jdbc:jar:4.3.6.RELEASE:compile [INFO] | | \- org.springframework:spring-tx:jar:4.3.6.RELEASE:compile [INFO] | +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.2:compile [INFO] | +- org.mybatis:mybatis:jar:3.4.6:compile [INFO] | \- org.mybatis:mybatis-spring:jar:1.3.2:compile [INFO] +- org.apache.velocity:velocity:jar:1.7:compile [INFO] +- com.thoughtworks.xstream:xstream:jar:1.4.10:compile [INFO] | +- xmlpull:xmlpull:jar:1.1.3.1:compile [INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile [INFO] +- org.apache.poi:poi:jar:3.10-FINAL:compile [INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile [INFO] | +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile [INFO] | | \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile [INFO] | \- dom4j:dom4j:jar:1.6.1:compile [INFO] +- com.monitorjbl:xlsx-streamer:jar:2.0.0:compile [INFO] | +- com.rackspace.apache:xerces2-xsd11:jar:2.11.1:compile [INFO] | | +- com.rackspace.eclipse.webtools.sourceediting:org.eclipse.wst.xml.xpath2.processor:jar:2.1.100:compile [INFO] | | | +- edu.princeton.cup:java-cup:jar:10k:compile [INFO] | | | \- com.ibm.icu:icu4j:jar:4.6:compile [INFO] | | \- xml-resolver:xml-resolver:jar:1.2:compile [INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile [INFO] | \- org.slf4j:slf4j-api:jar:1.7.22:compile [INFO] +- org.jsoup:jsoup:jar:1.10.2:compile [INFO] +- commons-io:commons-io:jar:2.5:compile [INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1.4:compile [INFO] | \- org.apache.httpcomponents:httpcore-nio:jar:4.4.10:compile [INFO] +- io.springfox:springfox-swagger2:jar:2.9.2:compile [INFO] | +- io.swagger:swagger-annotations:jar:1.5.20:compile [INFO] | +- io.swagger:swagger-models:jar:1.5.20:compile [INFO] | +- io.springfox:springfox-spi:jar:2.9.2:compile [INFO] | | \- io.springfox:springfox-core:jar:2.9.2:compile [INFO] | | \- net.bytebuddy:byte-buddy:jar:1.8.12:compile [INFO] | +- io.springfox:springfox-schema:jar:2.9.2:compile [INFO] | +- io.springfox:springfox-swagger-common:jar:2.9.2:compile [INFO] | +- io.springfox:springfox-spring-web:jar:2.9.2:compile [INFO] | +- com.fasterxml:classmate:jar:1.3.3:compile [INFO] | +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile [INFO] | +- org.springframework.plugin:spring-plugin-metadata:jar:1.2.0.RELEASE:compile [INFO] | \- org.mapstruct:mapstruct:jar:1.2.0.Final:compile [INFO] +- io.springfox:springfox-swagger-ui:jar:2.9.2:compile [INFO] +- org.projectlombok:lombok:jar:1.18.16:provided [INFO] +- org.yaml:snakeyaml:jar:1.21:compile [INFO] +- org.springframework:spring-test:jar:4.3.6.RELEASE:compile [INFO] +- junit:junit:jar:4.12:compile [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile [INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile [INFO] +- io.jsonwebtoken:jjwt:jar:0.9.1:compile [INFO] \- com.auth0:java-jwt:jar:4.0.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
won't fix.
Hi,there is a dependency org.apache.httpcomponents:httpclient:4.5.12 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.