Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

[CVEDetect]

Hi, In oxalis/oxalis-commons，there is a dependency org.apache.httpcomponents:httpclient:4.5.11 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[93]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[83]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar
at <network.oxalis.commons.mode.OxalisOcspFetcher: net.klakegg.pkix.ocsp.api.OcspFetcherResponse fetch(java.net.URI,byte[])> (network.oxalis.commons.mode.OxalisOcspFetcher.java:[72]) in /detect/unzip/oxalis-5.0.3/oxalis-commons/target/classes

Dependency tree--

[INFO] network.oxalis:oxalis-commons:jar:5.0.3
[INFO] +- network.oxalis:oxalis-api:jar:5.0.3:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.26:compile
[INFO] |  +- network.oxalis.vefa:peppol-common:jar:2.0.1:compile
[INFO] |  +- io.opentracing:opentracing-api:jar:0.33.0:compile
[INFO] |  \- javax.inject:javax.inject:jar:1:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.57:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.26:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.3:provided
[INFO] |  \- ch.qos.logback:logback-core:jar:1.2.3:provided
[INFO] +- com.google.inject:guice:jar:4.2.2:compile
[INFO] |  +- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  \- com.google.guava:guava:jar:28.2-jre:compile
[INFO] |     +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |     +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |     +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |     +- org.checkerframework:checker-qual:jar:2.10.0:compile
[INFO] |     +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] |     \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] +- network.oxalis.vefa:peppol-mode:jar:2.0.1:compile
[INFO] |  \- com.typesafe:config:jar:1.4.0:compile
[INFO] +- network.oxalis.vefa:peppol-sbdh:jar:2.0.1:compile
[INFO] |  +- no.difi.commons:commons-sbdh:jar:0.9.5:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.14:compile
[INFO] +- network.oxalis.vefa:peppol-evidence:jar:2.0.1:compile
[INFO] |  \- network.oxalis.vefa:peppol-security:jar:2.0.1:compile
[INFO] |     \- no.difi.commons:commons-certvalidator:jar:2.2.1:compile
[INFO] |        +- org.bouncycastle:bcpkix-jdk15on:jar:1.57:compile
[INFO] |        \- net.klakegg.pkix:pkix-ocsp:jar:0.9.1:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.11:compile
[INFO] |  \- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] +- io.zipkin.brave:brave:jar:5.6.5:compile
[INFO] |  +- io.zipkin.zipkin2:zipkin:jar:2.14.2:compile
[INFO] |  \- io.zipkin.reporter2:zipkin-reporter:jar:2.8.4:compile
[INFO] +- io.zipkin.reporter2:zipkin-sender-urlconnection:jar:2.9.0:compile
[INFO] +- io.opentracing:opentracing-noop:jar:0.33.0:compile
[INFO] +- io.opentracing.contrib:opentracing-apache-httpclient:jar:0.2.0:compile
[INFO] |  \- io.opentracing:opentracing-util:jar:0.32.0:compile
[INFO] +- io.opentracing.contrib:opentracing-spanmanager:jar:0.0.5:compile
[INFO] +- io.opentracing.brave:brave-opentracing:jar:0.34.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.12:provided
[INFO] \- org.kohsuke.metainf-services:metainf-services:jar:1.8:provided

Suggested solutions:

Update dependency version

Thank you very much.

[CVEDetect]

@aaron-kumar Could please help me check this issue? May I pull a request to fix it? Thanks again.

[aaron-kumar]

We recently upgraded org.apache.httpcomponents:httpclient to version 4.5.13 with commit : 9b4f79c91c2e4b125f6ab747505552c6772181a6 . As I can see this vulnerability exist prior to 4.5.13 so this is no longer valid with latest oxalis code.