search

Yarl-IT-Hub / ySchool

A simple web based school management system.
http://www.yarlithub.org/yarl/home/yschool/
33 stars 70 forks source link

Dependency org.apache.poi:poi-ooxml, leading to CVE problem #63

Open CVEDetect opened 2 years ago

CVEDetect commented 2 years ago

Hi, In ySchool/modules/spreadSheetHandler,there is a dependency org.apache.poi:poi-ooxml:3.9 that calls the risk method.

CVE-2019-12415

The scope of this CVE affected version is [,4.1.0)

After further analysis, in this project, the main Api called is <org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 2

<org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>
at <org.yarlithub.yschool.spreadSheetHandler.XLSReader: java.lang.String getStringCellValue(int)> (org.yarlithub.yschool.spreadSheetHandler.XLSReader.java:[70]) in /detect/unzip/ySchool-master/modules/spreadSheetHandler/target/classes

Dependency tree--

[INFO] org.yarlithub.yschool:spreadSheetHandler:jar:1.0-SNAPSHOT
[INFO] +- log4j:log4j:jar:1.2.16:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.6.0:compile
[INFO] +- org.apache.poi:poi:jar:3.9:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.5:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] |  +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] |  |  \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] |  |     \- stax:stax-api:jar:1.0.1:compile
[INFO] |  \- dom4j:dom4j:jar:1.6.1:compile
[INFO] |     \- xml-apis:xml-apis:jar:1.0.b2:compile
[INFO] +- org.apache.myfaces.tomahawk:tomahawk:jar:1.1.10:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  +- commons-validator:commons-validator:jar:1.3.1:compile
[INFO] |  |  +- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] |  |  \- commons-digester:commons-digester:jar:1.6:compile
[INFO] |  +- commons-fileupload:commons-fileupload:jar:1.2.1:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] |  +- commons-el:commons-el:jar:1.0:compile
[INFO] |  +- oro:oro:jar:2.0.8:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.4:compile
[INFO] |  +- javax.servlet:jstl:jar:1.1.0:compile
[INFO] |  \- batik:batik-awt-util:jar:1.6-1:compile
[INFO] |     \- batik:batik-util:jar:1.6-1:compile
[INFO] |        \- batik:batik-gui-util:jar:1.6-1:compile
[INFO] |           \- batik:batik-ext:jar:1.6-1:compile
[INFO] |              \- xml-apis:xmlParserAPIs:jar:2.0.2:compile
[INFO] \- commons-io:commons-io:jar:1.3.2:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 2 years ago

@gayathiry-a Could please help me check this issue? May I pull a request to fix it? Thanks again.