search

OneBusAway / onebusaway-application-modules

The core OneBusAway application suite.
https://github.com/OneBusAway/onebusaway-application-modules/wiki
Other
207 stars 133 forks source link

Dependency org.hibernate:hibernate-core, leading to CVE problem #295

Closed CVEDetect closed 3 weeks ago

CVEDetect commented 2 years ago

Hi, In onebusaway-application-modules/onebusaway-geocoder,there is a dependency org.hibernate:hibernate-core:4.0.1.Final that calls the risk method.

CVE-2020-25638

The scope of this CVE affected version is [,5.4.24)

After further analysis, in this project, the main Api called is <org.hibernate.sql.Update: java.lang.String toStatementString()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 10

<org.hibernate.sql.Select: java.lang.String toStatementString()>
at <org.hibernate.persister.entity.AbstractEntityPersister: java.lang.String renderSelect(int[],int[],int[])> (org.hibernate.persister.entity.AbstractEntityPersister.java:[3527]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.persister.entity.SingleTableEntityPersister: java.lang.String generateSequentialSelect(org.hibernate.persister.entity.Loadable)> (org.hibernate.persister.entity.SingleTableEntityPersister.java:[970]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.persister.entity.SingleTableEntityPersister: void postInstantiate()> (org.hibernate.persister.entity.SingleTableEntityPersister.java:[1019]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.internal.SessionFactoryImpl: void <init>(org.hibernate.cfg.Configuration,org.hibernate.engine.spi.Mapping,org.hibernate.service.ServiceRegistry,org.hibernate.cfg.Settings,org.hibernate.SessionFactoryObserver)> (org.hibernate.internal.SessionFactoryImpl.java:[422]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.cfg.Configuration: org.hibernate.SessionFactory buildSessionFactory(org.hibernate.service.ServiceRegistry)> (org.hibernate.cfg.Configuration.java:[1737]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.jmx.HibernateService: org.hibernate.SessionFactory buildSessionFactory()> (org.hibernate.jmx.HibernateService.java:[68]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.jmx.SessionFactoryStub: org.hibernate.SessionFactory getImpl()> (org.hibernate.jmx.SessionFactoryStub.java:[124]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.hibernate.jmx.SessionFactoryStub: org.hibernate.Session getCurrentSession()> (org.hibernate.jmx.SessionFactoryStub.java:[119]) in /.m2/repository/org/hibernate/hibernate-core/4.0.1.Final/hibernate-core-4.0.1.Final.jar
at <org.onebusaway.geocoder.impl.DatabaseCachingGeocoderImpl: org.onebusaway.geocoder.model.GeocoderResults geocode(java.lang.String)> (org.onebusaway.geocoder.impl.DatabaseCachingGeocoderImpl.java:[45]) in /detect/unzip/onebusaway-application-modules-master/onebusaway-geocoder/target/classes

Dependency tree--

[INFO] org.onebusaway:onebusaway-geocoder:jar:2.0.1-SNAPSHOT
[INFO] +- org.onebusaway:onebusaway-geospatial:jar:2.0.1-SNAPSHOT:compile
[INFO] |  +- org.onebusaway:onebusaway-core:jar:2.0.1-SNAPSHOT:compile
[INFO] |  +- com.vividsolutions:jts:jar:1.13:compile
[INFO] |  \- edu.washington.cs.rse:javaproj:jar:1.0.4:compile
[INFO] +- org.onebusaway:onebusaway-container:jar:2.0.1-SNAPSHOT:compile
[INFO] |  +- org.onebusaway:onebusaway-collections:jar:1.2.1:compile
[INFO] |  +- net.sf.ehcache:ehcache:jar:2.10.3:compile
[INFO] |  +- org.hibernate:hibernate-core:jar:4.0.1.Final:compile
[INFO] |  |  +- commons-collections:commons-collections:jar:3.2:compile
[INFO] |  |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  |  +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.1_spec:jar:1.0.0.Final:compile
[INFO] |  |  +- dom4j:dom4j:jar:1.6.1:compile
[INFO] |  |  +- org.hibernate.javax.persistence:hibernate-jpa-2.0-api:jar:1.0.1.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.1.0.CR2:compile
[INFO] |  |  +- org.javassist:javassist:jar:3.15.0-GA:compile
[INFO] |  |  \- org.hibernate.common:hibernate-commons-annotations:jar:4.0.1.Final:compile
[INFO] |  +- org.hibernate:hibernate-ehcache:jar:4.0.1.Final:compile
[INFO] |  +- commons-dbcp:commons-dbcp:jar:1.2.2:compile
[INFO] |  |  \- commons-pool:commons-pool:jar:1.3:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.3.18.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.18.RELEASE:compile
[INFO] |  +- org.springframework:spring-context:jar:4.3.18.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-expression:jar:4.3.18.RELEASE:compile
[INFO] |  +- org.springframework:spring-jdbc:jar:4.3.18.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-tx:jar:4.3.18.RELEASE:compile
[INFO] |  +- org.springframework:spring-orm:jar:4.3.18.RELEASE:compile
[INFO] |  +- org.springframework:spring-aspects:jar:4.3.18.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:4.3.18.RELEASE:compile
[INFO] |  +- org.springframework:spring-context-support:jar:4.3.18.RELEASE:compile
[INFO] |  +- org.aspectj:aspectjrt:jar:1.7.3:compile
[INFO] |  +- org.aspectj:aspectjweaver:jar:1.7.3:compile
[INFO] |  +- javassist:javassist:jar:3.4.GA:compile
[INFO] |  \- org.springframework:spring-web:jar:4.3.18.RELEASE:compile
[INFO] +- org.onebusaway:onebusaway-util:jar:2.0.1-SNAPSHOT:compile
[INFO] |  +- com.google.code.gson:gson:jar:2.1:compile
[INFO] |  +- joda-time:joda-time:jar:2.0:compile
[INFO] |  +- commons-io:commons-io:jar:1.4:compile
[INFO] |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.2:compile
[INFO] |  |  \- org.codehaus.jackson:jackson-core-asl:jar:1.9.2:compile
[INFO] |  +- org.apache.commons:commons-compress:jar:1.18:compile
[INFO] |  +- com.brsanthu:google-analytics-java:jar:1.1.2:compile
[INFO] |  |  \- org.slf4j:jcl-over-slf4j:jar:1.7.5:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.3.6:compile
[INFO] |  |  \- org.apache.httpcomponents:httpcore:jar:4.3.3:compile
[INFO] |  \- org.onebusaway:onebusaway-realtime-api:jar:2.0.1-SNAPSHOT:compile
[INFO] |     \- org.onebusaway:onebusaway-gtfs:jar:1.3.61:compile
[INFO] |        \- org.onebusaway:onebusaway-csv-entities:jar:1.1.6:compile
[INFO] +- commons-digester:commons-digester:jar:1.8.1:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.8.0:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO] +- commons-lang:commons-lang:jar:2.6:compile
[INFO] +- org.geotools:gt-main:jar:11-beta:compile
[INFO] |  +- org.geotools:gt-api:jar:11-beta:compile
[INFO] |  |  \- org.geotools:gt-referencing:jar:11-beta:compile
[INFO] |  |     +- java3d:vecmath:jar:1.3.2:compile
[INFO] |  |     +- org.geotools:gt-metadata:jar:11-beta:compile
[INFO] |  |     |  \- org.geotools:gt-opengis:jar:11-beta:compile
[INFO] |  |     |     \- net.java.dev.jsr-275:jsr-275:jar:1.0-beta-2:compile
[INFO] |  |     \- jgridshift:jgridshift:jar:1.0:compile
[INFO] |  +- org.jdom:jdom:jar:1.1.3:compile
[INFO] |  \- javax.media:jai_core:jar:1.1.3:compile
[INFO] \- commons-codec:commons-codec:jar:1.4:provided

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 2 years ago

@sheldonabrown Could please help me check this issue? May I pull a request to fix it? Thanks again.