search

WuKongOpenSource / WukongCRM-9.0-JAVA

悟空CRM-基于jfinal+vue+ElementUI的前后端分离CRM系统
http://www.5kcrm.com
Other
690 stars 336 forks source link

Dependency org.apache.poi:poi-ooxml, leading to CVE problem #23

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In 72crm-9.0-JAVA,there is a dependency org.apache.poi:poi-ooxml:3.17 that calls the risk method.

CVE-2019-12415

The scope of this CVE affected version is [,4.1.0)

After further analysis, in this project, the main Api called is <org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>
at <org.apache.poi.xssf.streaming.SXSSFCell: org.apache.poi.ss.usermodel.RichTextString getRichStringCellValue()> (org.apache.poi.xssf.streaming.SXSSFCell.java:[453]) in /.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar
at <org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String toString()> (org.apache.poi.xssf.streaming.SXSSFCell.java:[768]) in /.m2/repository/org/apache/poi/poi-ooxml/3.17/poi-ooxml-3.17.jar
at <com.kakarote.crm9.erp.crm.service.CrmLeadsService: com.kakarote.crm9.utils.R uploadExcel(com.jfinal.upload.UploadFile,java.lang.Integer,java.lang.Integer)> (com.kakarote.crm9.erp.crm.service.CrmLeadsService.java:[393]) in /detect/unzip/72crm-9.0-JAVA-9.0.1_20191202/target/classes

Dependency tree--

[INFO] com.kakarote:crm9:jar:1.3.3
[INFO] +- com.jfinal:jfinal-undertow:jar:1.9:compile
[INFO] |  +- io.undertow:undertow-core:jar:2.0.25.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.4.0.Final:compile
[INFO] |  |  +- org.jboss.xnio:xnio-api:jar:3.3.8.Final:compile
[INFO] |  |  \- org.jboss.xnio:xnio-nio:jar:3.3.8.Final:runtime
[INFO] |  +- io.undertow:undertow-servlet:jar:2.0.25.Final:compile
[INFO] |  \- javax.servlet:javax.servlet-api:jar:4.0.1:compile
[INFO] +- com.jfinal:jfinal:jar:3.8:compile
[INFO] +- cglib:cglib-nodep:jar:3.2.5:compile
[INFO] +- com.jfinal:cos:jar:2019.8:compile
[INFO] +- it.sauronsoftware.cron4j:cron4j:jar:2.2.5:compile
[INFO] +- redis.clients:jedis:jar:2.9.0:compile
[INFO] |  \- org.apache.commons:commons-pool2:jar:2.4.2:compile
[INFO] +- de.ruedigermoeller:fst:jar:2.50:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.8.8:compile
[INFO] |  +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  +- org.objenesis:objenesis:jar:2.5.1:compile
[INFO] |  \- com.cedarsoftware:java-util:jar:1.9.0:compile
[INFO] |     +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |     \- com.cedarsoftware:json-io:jar:2.5.1:compile
[INFO] +- org.slf4j:slf4j-nop:jar:1.7.25:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- log4j:log4j:jar:1.2.16:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.44:compile
[INFO] +- com.alibaba:druid:jar:1.0.29:compile
[INFO] |  +- com.alibaba:jconsole:jar:1.8.0:system
[INFO] |  \- com.alibaba:tools:jar:1.8.0:system
[INFO] +- com.alibaba:fastjson:jar:1.2.54:compile
[INFO] +- cn.hutool:hutool-all:jar:4.4.0:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.17:compile
[INFO] |  +- org.apache.poi:poi:jar:3.17:compile
[INFO] |  |  +- commons-codec:commons-codec:jar:1.10:compile
[INFO] |  |  \- org.apache.commons:commons-collections4:jar:4.1:compile
[INFO] |  +- org.apache.poi:poi-ooxml-schemas:jar:3.17:compile
[INFO] |  |  \- org.apache.xmlbeans:xmlbeans:jar:2.6.0:compile
[INFO] |  |     \- stax:stax-api:jar:1.0.1:compile
[INFO] |  \- com.github.virtuald:curvesapi:jar:1.04:compile
[INFO] +- com.aliyun:aliyun-java-sdk-core:jar:4.0.6:compile
[INFO] |  +- com.google.code.gson:gson:jar:2.8.2:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
[INFO] |  |  \- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.1:compile
[INFO] |  |  \- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] |  +- com.sun.xml.bind:jaxb-core:jar:2.1.14:compile
[INFO] |  +- com.sun.xml.bind:jaxb-impl:jar:2.1:compile
[INFO] |  \- javax.activation:activation:jar:1.1.1:compile
[INFO] +- com.aliyun:aliyun-java-sdk-dysmsapi:jar:1.1.0:compile
[INFO] \- com.github.ben-manes.caffeine:caffeine:jar:2.6.2:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@GspiriTer Could please help me check this issue? May I pull a request to fix it? Thanks again.