Closed CVEDetect closed 2 years ago
@aaron-kumar Could please help me check this issue? May I pull a request to fix it? Thanks again.
We recently upgraded org.apache.httpcomponents:httpclient to version 4.5.13 with commit : 9b4f79c91c2e4b125f6ab747505552c6772181a6 . As I can see this vulnerability exist prior to 4.5.13 so this is no longer valid with latest oxalis code.
Hi, In oxalis/oxalis-commons,there is a dependency org.apache.httpcomponents:httpclient:4.5.11 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 4
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.