search

alexa / alexa-skills-kit-sdk-for-java

The Alexa Skills Kit SDK for Java helps you get a skill up and running quickly, letting you focus on skill logic instead of boilerplate code.
http://developer.amazon.com/ask
Apache License 2.0
815 stars 748 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #297

Closed CVEDetect closed 2 years ago

CVEDetect commented 3 years ago

Hi, In alexa-skills-kit-sdk-for-java/ask-sdk-apache-client,there is a dependency org.apache.httpcomponents:httpclient:4.5.5 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[93]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.5/httpclient-4.5.5.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[83]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.5/httpclient-4.5.5.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[108]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.5/httpclient-4.5.5.jar
at <com.amazon.ask.services.ApacheHttpApiClient: com.amazon.ask.model.services.ApiClientResponse invoke(com.amazon.ask.model.services.ApiClientRequest)> (com.amazon.ask.services.ApacheHttpApiClient.java:[80]) in /detect/unzip/alexa-skills-kit-sdk-for-java-2.38.1/ask-sdk-apache-client/target/classes

Dependency tree--

[INFO] com.amazon.alexa:ask-sdk-apache-client:jar:2.38.1
[INFO] +- com.amazon.alexa:ask-sdk-model-runtime:jar:1.0.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.10:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.10.3:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile
[INFO] |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.10:compile
[INFO] |  \- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.8.2:compile
[INFO] |     +- org.slf4j:slf4j-api:jar:1.7.24:compile
[INFO] |     \- org.apache.logging.log4j:log4j-api:jar:2.8.2:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.5:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.9:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.powermock:powermock-api-mockito:jar:1.7.3:test
[INFO] |  +- org.powermock:powermock-api-mockito-common:jar:1.7.3:test
[INFO] |  |  \- org.powermock:powermock-api-support:jar:1.7.3:test
[INFO] |  |     +- org.powermock:powermock-reflect:jar:1.7.3:test
[INFO] |  |     \- org.powermock:powermock-core:jar:1.7.3:test
[INFO] |  |        \- org.javassist:javassist:jar:3.21.0-GA:test
[INFO] |  \- org.mockito:mockito-core:jar:1.10.19:test
[INFO] |     \- org.objenesis:objenesis:jar:2.1:test
[INFO] \- junit:junit:jar:4.13.1:test
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:test

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@breedloj Could please help me check this issue? May I pull a request to fix it? Thanks again.