search

apolloconfig / apollo

Apollo is a reliable configuration management system suitable for microservice configuration management scenarios.
https://www.apolloconfig.com
Apache License 2.0
29.17k stars 10.2k forks source link

Dependency org.yaml:snakeyaml, leading to CVE problem #4755

Closed CVEDetect closed 1 year ago

CVEDetect commented 1 year ago

Hi, In /apollo-adminservice,there is a dependency org.yaml:snakeyaml:1.29 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
com.ctrip.framework.apollo.adminservice.controller.InstanceConfigController: getByRelease(long,org.springframework.data.domain.Pageable)Lcom.ctrip.framework.apollo.common.dto.PageDTO; /.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; /.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; /.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /.m2/repository/org/jboss/jandex/2.4.2.Final/jandex-2.4.2.Final.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.ctrip.framework.apollo:apollo-adminservice:jar:2.2.0-SNAPSHOT
[INFO] +- com.ctrip.framework.apollo:apollo-biz:jar:2.2.0-SNAPSHOT:compile
[INFO] |  +- com.ctrip.framework.apollo:apollo-common:jar:2.2.0-SNAPSHOT:compile
[INFO] |  |  +- com.ctrip.framework.apollo:apollo-core:jar:2.1.0:compile
[INFO] |  |  |  +- com.google.code.gson:gson:jar:2.8.9:compile
[INFO] |  |  |  \- com.google.guava:guava:jar:31.0.1-jre:compile
[INFO] |  |  |     +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |  |     +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |  |     +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  |     +- org.checkerframework:checker-qual:jar:3.12.0:compile
[INFO] |  |  |     +- com.google.errorprone:error_prone_annotations:jar:2.7.1:compile
[INFO] |  |  |     \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-actuator:jar:2.6.8:compile
[INFO] |  |  |  \- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.6.8:compile
[INFO] |  |  |     +- org.springframework.boot:spring-boot-actuator:jar:2.6.8:compile
[INFO] |  |  |     \- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.3:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-web:jar:2.6.8:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-starter-json:jar:2.6.8:compile
[INFO] |  |  |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.3:compile
[INFO] |  |  |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.3:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.6.8:compile
[INFO] |  |  |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.63:compile
[INFO] |  |  |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.63:compile
[INFO] |  |  |  +- org.springframework:spring-web:jar:5.3.20:compile
[INFO] |  |  |  \- org.springframework:spring-webmvc:jar:5.3.20:compile
[INFO] |  |  |     \- org.springframework:spring-expression:jar:5.3.20:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-validation:jar:2.6.8:compile
[INFO] |  |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.63:compile
[INFO] |  |  |  \- org.hibernate.validator:hibernate-validator:jar:6.2.3.Final:compile
[INFO] |  |  |     +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
[INFO] |  |  |     +- org.jboss.logging:jboss-logging:jar:3.4.3.Final:compile
[INFO] |  |  |     \- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-security:jar:2.6.8:compile
[INFO] |  |  |  +- org.springframework:spring-aop:jar:5.3.20:compile
[INFO] |  |  |  +- org.springframework.security:spring-security-config:jar:5.7.3:compile
[INFO] |  |  |  |  \- org.springframework.security:spring-security-core:jar:5.7.3:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-web:jar:5.7.3:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.6.8:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-starter-aop:jar:2.6.8:compile
[INFO] |  |  |  |  \- org.aspectj:aspectjweaver:jar:1.9.7:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.6.8:compile
[INFO] |  |  |  |  +- com.zaxxer:HikariCP:jar:4.0.3:compile
[INFO] |  |  |  |  \- org.springframework:spring-jdbc:jar:5.3.20:compile
[INFO] |  |  |  +- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile
[INFO] |  |  |  +- jakarta.persistence:jakarta.persistence-api:jar:2.2.3:compile
[INFO] |  |  |  +- org.hibernate:hibernate-core:jar:5.6.9.Final:compile
[INFO] |  |  |  |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  |  |  |  +- org.jboss:jandex:jar:2.4.2.Final:compile
[INFO] |  |  |  |  \- org.hibernate.common:hibernate-commons-annotations:jar:5.1.2.Final:compile
[INFO] |  |  |  +- org.springframework.data:spring-data-jpa:jar:2.6.4:compile
[INFO] |  |  |  |  +- org.springframework:spring-orm:jar:5.3.20:compile
[INFO] |  |  |  |  \- org.springframework:spring-tx:jar:5.3.20:compile
[INFO] |  |  |  \- org.springframework:spring-aspects:jar:5.3.20:compile
[INFO] |  |  +- mysql:mysql-connector-java:jar:8.0.29:compile
[INFO] |  |  |  \- com.google.protobuf:protobuf-java:jar:3.19.4:compile
[INFO] |  |  +- org.springframework.data:spring-data-commons:jar:2.6.4:compile
[INFO] |  |  |  \- org.springframework:spring-beans:jar:5.3.20:compile
[INFO] |  |  +- org.codehaus.janino:janino:jar:3.1.7:compile
[INFO] |  |  |  \- org.codehaus.janino:commons-compiler:jar:3.1.7:compile
[INFO] |  |  +- org.apache.commons:commons-lang3:jar:3.12.0:compile
[INFO] |  |  +- io.micrometer:micrometer-core:jar:1.8.6:compile
[INFO] |  |  |  +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile
[INFO] |  |  |  \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime
[INFO] |  |  \- io.micrometer:micrometer-registry-prometheus:jar:1.8.6:compile
[INFO] |  |     \- io.prometheus:simpleclient_common:jar:0.12.0:compile
[INFO] |  |        \- io.prometheus:simpleclient:jar:0.12.0:compile
[INFO] |  |           +- io.prometheus:simpleclient_tracer_otel:jar:0.12.0:compile
[INFO] |  |           |  \- io.prometheus:simpleclient_tracer_common:jar:0.12.0:compile
[INFO] |  |           \- io.prometheus:simpleclient_tracer_otel_agent:jar:0.12.0:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:jar:3.1.2:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-netflix-eureka-client:jar:3.1.2:compile
[INFO] |  |  +- com.netflix.eureka:eureka-client:jar:1.10.17:compile
[INFO] |  |  |  +- com.netflix.netflix-commons:netflix-eventbus:jar:0.3.0:compile
[INFO] |  |  |  |  +- com.netflix.netflix-commons:netflix-infix:jar:0.3.0:runtime
[INFO] |  |  |  |  |  +- commons-jxpath:commons-jxpath:jar:1.3:runtime
[INFO] |  |  |  |  |  +- joda-time:joda-time:jar:2.3:runtime
[INFO] |  |  |  |  |  \- org.antlr:antlr-runtime:jar:3.4:runtime
[INFO] |  |  |  |  |     \- org.antlr:stringtemplate:jar:3.2.1:runtime
[INFO] |  |  |  |  \- org.apache.commons:commons-math:jar:2.2:runtime
[INFO] |  |  |  +- com.thoughtworks.xstream:xstream:jar:1.4.20:compile
[INFO] |  |  |  |  \- io.github.x-stream:mxparser:jar:1.2.2:compile
[INFO] |  |  |  |     \- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  |  |  +- javax.ws.rs:jsr311-api:jar:1.1.1:compile
[INFO] |  |  |  +- com.netflix.servo:servo-core:jar:0.12.21:compile
[INFO] |  |  |  +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] |  |  |  |  \- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  |  |  +- com.google.inject:guice:jar:5.0.1:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.3:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-core:jar:2.13.3:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.3:compile
[INFO] |  |  |  \- org.codehaus.jettison:jettison:jar:1.4.0:runtime
[INFO] |  |  \- com.netflix.eureka:eureka-core:jar:1.10.17:compile
[INFO] |  |     \- com.fasterxml.woodstox:woodstox-core:jar:6.2.1:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter-consul-discovery:jar:3.1.0:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-starter-consul:jar:3.1.0:compile
[INFO] |  |  |  +- org.springframework.cloud:spring-cloud-consul-core:jar:3.1.0:compile
[INFO] |  |  |  \- com.ecwid.consul:consul-api:jar:1.4.5:compile
[INFO] |  |  \- org.springframework.cloud:spring-cloud-consul-discovery:jar:3.1.0:compile
[INFO] |  \- org.springframework.cloud:spring-cloud-starter-zookeeper-discovery:jar:3.1.1:compile
[INFO] |     +- org.springframework.cloud:spring-cloud-starter-zookeeper:jar:3.1.1:compile
[INFO] |     |  \- org.springframework.cloud:spring-cloud-zookeeper-core:jar:3.1.1:compile
[INFO] |     +- org.springframework.cloud:spring-cloud-zookeeper-discovery:jar:3.1.1:compile
[INFO] |     \- org.apache.curator:curator-x-discovery:jar:5.1.0:compile
[INFO] |        \- org.apache.curator:curator-recipes:jar:5.1.0:compile
[INFO] |           \- org.apache.curator:curator-framework:jar:5.1.0:compile
[INFO] |              \- org.apache.curator:curator-client:jar:5.1.0:compile
[INFO] |                 \- org.apache.zookeeper:zookeeper:jar:3.6.0:compile
[INFO] |                    +- org.apache.zookeeper:zookeeper-jute:jar:3.6.0:compile
[INFO] |                    +- org.apache.yetus:audience-annotations:jar:0.5.0:compile
[INFO] |                    +- io.netty:netty-handler:jar:4.1.77.Final:compile
[INFO] |                    |  +- io.netty:netty-common:jar:4.1.77.Final:compile
[INFO] |                    |  +- io.netty:netty-resolver:jar:4.1.77.Final:compile
[INFO] |                    |  +- io.netty:netty-buffer:jar:4.1.77.Final:compile
[INFO] |                    |  +- io.netty:netty-transport:jar:4.1.77.Final:compile
[INFO] |                    |  \- io.netty:netty-codec:jar:4.1.77.Final:compile
[INFO] |                    \- io.netty:netty-transport-native-epoll:jar:4.1.77.Final:compile
[INFO] |                       +- io.netty:netty-transport-native-unix-common:jar:4.1.77.Final:compile
[INFO] |                       \- io.netty:netty-transport-classes-epoll:jar:4.1.77.Final:compile
[INFO] +- org.springframework.cloud:spring-cloud-starter-netflix-eureka-server:jar:3.1.2:test
[INFO] |  +- org.springframework.cloud:spring-cloud-starter:jar:3.1.2:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter:jar:2.6.8:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.6.8:compile
[INFO] |  |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |  |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |  |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  |  \- org.yaml:snakeyaml:jar:1.29:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-context:jar:3.1.2:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-crypto:jar:5.7.3:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-commons:jar:3.1.2:compile
[INFO] |  |  \- org.springframework.security:spring-security-rsa:jar:1.0.10.RELEASE:compile
[INFO] |  |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.68:compile
[INFO] |  |        \- org.bouncycastle:bcprov-jdk15on:jar:1.68:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-netflix-eureka-server:jar:3.1.2:test
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-freemarker:jar:2.6.8:test
[INFO] |  |  |  +- org.freemarker:freemarker:jar:2.3.31:test
[INFO] |  |  |  \- org.springframework:spring-context-support:jar:5.3.20:compile
[INFO] |  |  +- com.sun.jersey:jersey-servlet:jar:1.19.4:test
[INFO] |  |  +- com.sun.jersey:jersey-server:jar:1.19.4:test
[INFO] |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  \- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.13.3:test
[INFO] |  |     \- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
[INFO] |  \- org.springframework.cloud:spring-cloud-starter-loadbalancer:jar:3.1.2:compile
[INFO] |     +- org.springframework.cloud:spring-cloud-loadbalancer:jar:3.1.2:compile
[INFO] |     |  +- io.projectreactor:reactor-core:jar:3.4.18:compile
[INFO] |     |  |  \- org.reactivestreams:reactive-streams:jar:1.0.3:compile
[INFO] |     |  \- io.projectreactor.addons:reactor-extra:jar:3.4.8:compile
[INFO] |     +- org.springframework.boot:spring-boot-starter-cache:jar:2.6.8:compile
[INFO] |     \- com.stoyanr:evictor:jar:1.0.0:compile
[INFO] +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.4:test
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.13:compile
[INFO] |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.15:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.15:compile
[INFO] |  \- com.sun.jersey:jersey-client:jar:1.19.4:test
[INFO] |     \- com.sun.jersey:jersey-core:jar:1.19.4:test
[INFO] +- com.h2database:h2:jar:1.4.191:test
[INFO] +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |  \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] +- com.sun.xml.bind:jaxb-impl:jar:2.3.1:compile
[INFO] +- org.glassfish.jaxb:jaxb-runtime:jar:2.3.1:compile
[INFO] |  +- org.glassfish.jaxb:txw2:jar:2.3.6:compile
[INFO] |  +- com.sun.istack:istack-commons-runtime:jar:3.0.7:compile
[INFO] |  +- org.jvnet.staxex:stax-ex:jar:1.8:compile
[INFO] |  \- com.sun.xml.fastinfoset:FastInfoset:jar:1.2.15:compile
[INFO] +- javax.activation:activation:jar:1.1.1:compile
[INFO] +- org.javassist:javassist:jar:3.23.1-GA:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.6.8:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.6.8:test
[INFO] |  |  \- org.springframework.boot:spring-boot:jar:2.6.8:compile
[INFO] |  |     \- org.springframework:spring-context:jar:5.3.20:compile
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.6.8:test
[INFO] |  |  \- org.springframework.boot:spring-boot-autoconfigure:jar:2.6.8:compile
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.6.0:test
[INFO] |  |  +- net.minidev:json-smart:jar:2.4.8:test
[INFO] |  |  |  \- net.minidev:accessors-smart:jar:2.4.8:test
[INFO] |  |  |     \- org.ow2.asm:asm:jar:9.1:test
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO] |  +- org.assertj:assertj-core:jar:3.21.0:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  +- org.mockito:mockito-core:jar:4.0.0:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.11.22:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.11.22:test
[INFO] |  |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:4.0.0:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-core:jar:5.3.20:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.3.20:compile
[INFO] |  +- org.springframework:spring-test:jar:5.3.20:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.8.4:test
[INFO] +- org.awaitility:awaitility:jar:4.0.3:test
[INFO] \- org.junit.vintage:junit-vintage-engine:jar:5.7.0:test
[INFO]    +- org.apiguardian:apiguardian-api:jar:1.1.0:test
[INFO]    +- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO]    |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO]    |  \- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO]    \- junit:junit:jar:4.13.2:test

Suggested solutions:

Update dependency version

Thank you very much.

nobodyiam commented 1 year ago

Thanks for reporting this issue and submitting the patch!

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

stale[bot] commented 1 year ago

This issue has been automatically closed because it has not had activity in the last 7 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.