search

bells / elasticsearch-analysis-dynamic-synonym

The dynamic synonym plugin adds a synonym token filter that reloads the synonym file(local file or remote file) at given intervals (default 60s).
369 stars 181 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #91

Closed CVEDetect closed 2 years ago

CVEDetect commented 3 years ago

Hi, In elasticsearch-analysis-dynamic-synonym,there is a dependency org.apache.httpcomponents:httpclient:4.4.1 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4.1/httpclient-4.4.1.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4.1/httpclient-4.4.1.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.4.1/httpclient-4.4.1.jar
at <com.bellszhu.elasticsearch.plugin.synonym.analysis.RemoteSynonymFile: java.io.Reader getReader()> (com.bellszhu.elasticsearch.plugin.synonym.analysis.RemoteSynonymFile.java:[110]) in /detect/unzip/elasticsearch-analysis-dynamic-synonym-5.1.1/target/classes

Dependency tree--

[INFO] com.bellszhu.elasticsearch:elasticsearch-analysis-dynamic-synonym:jar:5.1.1
[INFO] +- org.elasticsearch:elasticsearch:jar:5.1.1:compile
[INFO] |  +- org.apache.lucene:lucene-core:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-analyzers-common:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-backward-codecs:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-grouping:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-highlighter:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-join:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-memory:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-misc:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-queries:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-queryparser:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-sandbox:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-spatial:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-spatial-extras:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-spatial3d:jar:6.3.0:compile
[INFO] |  +- org.apache.lucene:lucene-suggest:jar:6.3.0:compile
[INFO] |  +- org.elasticsearch:securesm:jar:1.1:compile
[INFO] |  +- net.sf.jopt-simple:jopt-simple:jar:5.0.2:compile
[INFO] |  +- com.carrotsearch:hppc:jar:0.7.1:compile
[INFO] |  +- joda-time:joda-time:jar:2.9.5:compile
[INFO] |  +- org.yaml:snakeyaml:jar:1.15:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.8.1:compile
[INFO] |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-smile:jar:2.8.1:compile
[INFO] |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.8.1:compile
[INFO] |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.8.1:compile
[INFO] |  +- com.tdunning:t-digest:jar:3.0:compile
[INFO] |  +- org.hdrhistogram:HdrHistogram:jar:2.1.6:compile
[INFO] |  \- net.java.dev.jna:jna:jar:4.2.2:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.4.1:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.1:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO] \- org.apache.logging.log4j:log4j-api:jar:2.7:provided

Suggested solutions:

Update dependency version to 4.5.13 or higher

Thank you very much.

CVEDetect commented 3 years ago

@wejick Could please help me check this issue? May I pull a request to fix it? Thanks again.

wejick commented 3 years ago

Hi, seems like I'll not have time to check this. so sorry

CVEDetect commented 3 years ago

That's all right.

88

I found this pr can fix this issue.