search

apache / shardingsphere-elasticjob-ui

Administrator console of ElasticJob
https://shardingsphere.apache.org/
Apache License 2.0
162 stars 96 forks source link

Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem #179

Open CVEDetect opened 1 year ago

CVEDetect commented 1 year ago

Hi, in shardingsphere-elasticjob-cloud-ui/shardingsphere-elasticjob-cloud-ui-backend,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.40 that calls the risk method.

CVE-2019-17563

The scope of this CVE affected version is [9.0.0.M1, 9.0.30),[8.5.0,8.5.50),[,7.0.99)

After further analysis, in this project, the main Api called is org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

org.apache.shardingsphere.elasticjob.cloud.ui.security.AuthenticationFilter: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse,javax.servlet.FilterChain)V /.m2/repository/org/springframework/spring-core/4.3.24.RELEASE/spring-core-4.3.24.RELEASE.jar
org.apache.catalina.core.ApplicationFilterChain: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse)V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar
org.apache.catalina.core.ApplicationFilterChain: internalDoFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse)V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar
org.apache.catalina.connector.Request: getUserPrincipal()Ljava.security.Principal; /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar
org.apache.catalina.connector.Request: logout()V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar
org.apache.catalina.authenticator.AuthenticatorBase: logout(org.apache.catalina.connector.Request)V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String)V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)V

Dependency tree--

[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ shardingsphere-elasticjob-cloud-ui-backend ---
[INFO] org.apache.shardingsphere:shardingsphere-elasticjob-cloud-ui-backend:jar:3.1.0-SNAPSHOT
[INFO] +- org.apache.shardingsphere.elasticjob:elasticjob-cloud-common:jar:3.0.2:compile
[INFO] |  +- org.apache.shardingsphere.elasticjob:elasticjob-api:jar:3.0.2:compile
[INFO] |  +- org.apache.shardingsphere.elasticjob:elasticjob-infra-common:jar:3.0.2:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.17:compile
[INFO] |  +- org.apache.shardingsphere.elasticjob:elasticjob-simple-executor:jar:3.0.2:compile
[INFO] |  |  \- org.apache.shardingsphere.elasticjob:elasticjob-executor-kernel:jar:3.0.2:compile
[INFO] |  |     \- org.apache.shardingsphere.elasticjob:elasticjob-error-handler-general:jar:3.0.2:compile
[INFO] |  |        \- org.apache.shardingsphere.elasticjob:elasticjob-error-handler-spi:jar:3.0.2:compile
[INFO] |  +- org.apache.shardingsphere.elasticjob:elasticjob-dataflow-executor:jar:3.0.2:compile
[INFO] |  +- org.apache.shardingsphere.elasticjob:elasticjob-script-executor:jar:3.0.2:compile
[INFO] |  +- org.apache.shardingsphere.elasticjob:elasticjob-http-executor:jar:3.0.2:compile
[INFO] |  +- org.apache.shardingsphere.elasticjob:elasticjob-registry-center-zookeeper-curator:jar:3.0.2:compile
[INFO] |  |  +- org.apache.shardingsphere.elasticjob:elasticjob-registry-center-api:jar:3.0.2:compile
[INFO] |  |  +- org.apache.curator:curator-framework:jar:5.1.0:compile
[INFO] |  |  +- org.apache.curator:curator-client:jar:5.1.0:compile
[INFO] |  |  |  \- org.apache.zookeeper:zookeeper:jar:3.6.0:compile
[INFO] |  |  |     +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  |  |     +- org.apache.zookeeper:zookeeper-jute:jar:3.6.0:compile
[INFO] |  |  |     +- org.apache.yetus:audience-annotations:jar:0.5.0:compile
[INFO] |  |  |     +- io.netty:netty-handler:jar:4.1.45.Final:compile
[INFO] |  |  |     |  +- io.netty:netty-common:jar:4.1.45.Final:compile
[INFO] |  |  |     |  +- io.netty:netty-buffer:jar:4.1.45.Final:compile
[INFO] |  |  |     |  +- io.netty:netty-transport:jar:4.1.45.Final:compile
[INFO] |  |  |     |  |  \- io.netty:netty-resolver:jar:4.1.45.Final:compile
[INFO] |  |  |     |  \- io.netty:netty-codec:jar:4.1.45.Final:compile
[INFO] |  |  |     +- io.netty:netty-transport-native-epoll:jar:4.1.45.Final:compile
[INFO] |  |  |     |  \- io.netty:netty-transport-native-unix-common:jar:4.1.45.Final:compile
[INFO] |  |  |     \- log4j:log4j:jar:1.2.17:compile
[INFO] |  |  \- org.apache.curator:curator-recipes:jar:5.1.0:compile
[INFO] |  +- org.apache.shardingsphere.elasticjob:elasticjob-tracing-rdb:jar:3.0.2:compile
[INFO] |  |  \- org.apache.shardingsphere.elasticjob:elasticjob-tracing-api:jar:3.0.2:compile
[INFO] |  +- com.google.guava:guava:jar:29.0-jre:compile
[INFO] |  |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  +- org.checkerframework:checker-qual:jar:2.11.1:compile
[INFO] |  |  \- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] |  +- com.google.code.gson:gson:jar:2.8.5:compile
[INFO] |  +- org.quartz-scheduler:quartz:jar:2.3.2:compile
[INFO] |  |  \- com.mchange:mchange-commons-java:jar:0.2.15:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] |  \- org.apache.commons:commons-exec:jar:1.3:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.21.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:1.5.21.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.5.21.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.21.RELEASE:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.21.RELEASE:compile
[INFO] |  |     \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.21.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.40:compile
[INFO] |  |  |  \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.40:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.40:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.40:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.11.3:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.11:compile
[INFO] |  +- org.springframework:spring-web:jar:4.3.24.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-aop:jar:4.3.24.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:4.3.24.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-context:jar:4.3.24.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:4.3.24.RELEASE:compile
[INFO] |     \- org.springframework:spring-expression:jar:4.3.24.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:1.5.21.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-aop:jar:1.5.21.RELEASE:compile
[INFO] |  |  \- org.aspectj:aspectjweaver:jar:1.8.14:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.21.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat:tomcat-jdbc:jar:8.5.40:compile
[INFO] |  |  |  \- org.apache.tomcat:tomcat-juli:jar:8.5.40:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:4.3.24.RELEASE:compile
[INFO] |  +- org.springframework.data:spring-data-jpa:jar:1.11.22.RELEASE:compile
[INFO] |  |  +- org.springframework.data:spring-data-commons:jar:1.13.22.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-orm:jar:4.3.24.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-tx:jar:4.3.24.RELEASE:compile
[INFO] |  \- org.springframework:spring-aspects:jar:4.3.24.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:1.5.21.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:1.5.21.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:1.5.21.RELEASE:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.2.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.2.1:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:1.1:test
[INFO] |  |        \- org.ow2.asm:asm:jar:5.0.3:test
[INFO] |  +- org.assertj:assertj-core:jar:2.6.0:test
[INFO] |  +- org.mockito:mockito-core:jar:2.7.21:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.6.11:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.6.11:test
[INFO] |  |  \- org.objenesis:objenesis:jar:2.5:test
[INFO] |  +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] |  +- org.hamcrest:hamcrest-library:jar:1.3:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.4.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-core:jar:4.3.24.RELEASE:compile
[INFO] |  \- org.springframework:spring-test:jar:4.3.24.RELEASE:test
[INFO] +- org.apache.openjpa:openjpa:jar:3.1.2:compile
[INFO] |  +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] |  +- net.sourceforge.serp:serp:jar:1.15.1:compile
[INFO] |  +- org.apache.geronimo.specs:geronimo-jta_1.1_spec:jar:1.1.1:compile
[INFO] |  +- org.apache.commons:commons-pool2:jar:2.4.3:compile
[INFO] |  +- org.apache.xbean:xbean-asm8-shaded:jar:4.17:compile
[INFO] |  \- org.apache.geronimo.specs:geronimo-jpa_2.2_spec:jar:1.1:compile
[INFO] +- org.apache.commons:commons-dbcp2:jar:2.2.0:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- com.h2database:h2:jar:1.4.196:compile
[INFO] +- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] +- javax.xml.bind:jaxb-api:jar:2.3.0:compile
[INFO] +- com.sun.xml.bind:jaxb-core:jar:2.3.0:compile
[INFO] +- com.sun.xml.bind:jaxb-impl:jar:2.3.0:compile
[INFO] +- com.auth0:java-jwt:jar:3.18.2:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.26:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.26:compile
[INFO] +- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.20:provided
[INFO] +- junit:junit:jar:4.12:test
[INFO] \- ch.qos.logback:logback-classic:jar:1.1.11:compile
[INFO]    \- ch.qos.logback:logback-core:jar:1.1.11:compile

Suggested solutions:

Update dependency version

Thank you very much.