search

RuedigerMoeller / kontraktor

distributed Actors for Java 8 / JavaScript
GNU Lesser General Public License v3.0
344 stars 48 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #116

Open CVEDetect opened 2 years ago

CVEDetect commented 2 years ago

Hi, In kontraktor/modules/kontraktor-bare,there is a dependency org.apache.httpcomponents:httpclient:4.4.1 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.nio.client.CloseableHttpAsyncClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.nio.client.CloseableHttpAsyncClient.java:[118]) in /.m2/repository/org/apache/httpcomponents/httpasyncclient/4.1/httpasyncclient-4.1.jar
at <org.apache.http.impl.nio.client.CloseableHttpAsyncClient: java.util.concurrent.Future execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext,org.apache.http.concurrent.FutureCallback)> (org.apache.http.impl.nio.client.CloseableHttpAsyncClient.java:[101]) in /.m2/repository/org/apache/httpcomponents/httpasyncclient/4.1/httpasyncclient-4.1.jar
at <org.apache.http.impl.nio.client.CloseableHttpAsyncClient: java.util.concurrent.Future execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.concurrent.FutureCallback)> (org.apache.http.impl.nio.client.CloseableHttpAsyncClient.java:[91]) in /.m2/repository/org/apache/httpcomponents/httpasyncclient/4.1/httpasyncclient-4.1.jar
at <org.nustaq.kontraktor.barebone.RemoteActorConnection: org.nustaq.kontraktor.barebone.Promise connect(java.lang.String,boolean)> (org.nustaq.kontraktor.barebone.RemoteActorConnection.java:[240]) in /detect/unzip/kontraktor-4.19/modules/kontraktor-bare/target/classes

Dependency tree--

[INFO] de.ruedigermoeller:kontraktor-bare:jar:4.19
[INFO] +- de.ruedigermoeller:fst:jar:2.53:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.8.8:compile
[INFO] |  +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  \- org.objenesis:objenesis:jar:2.5.1:compile
[INFO] +- org.apache.httpcomponents:httpasyncclient:jar:4.1:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.1:compile
[INFO] |  +- org.apache.httpcomponents:httpcore-nio:jar:4.4.1:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.4.1:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 2 years ago

@RuedigerMoeller Could please help me check this issue? May I pull a request to fix it? Thanks again.