<org.apache.coyote.http2.Http2UpgradeHandler: void close()>
at <org.apache.coyote.http2.Http2UpgradeHandler: void closeConnection(org.apache.coyote.http2.Http2Exception)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[493]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.http2.Stream: void close(org.apache.coyote.http2.Http2Exception)> (org.apache.coyote.http2.Stream.java:[549, 552]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.http2.StreamProcessor: void process(org.apache.tomcat.util.net.SocketEvent)> (org.apache.coyote.http2.StreamProcessor.java:[86, 72, 78]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.http2.StreamProcessor: void processSocketEvent(org.apache.tomcat.util.net.SocketEvent,boolean)> (org.apache.coyote.http2.StreamProcessor.java:[164]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.AbstractProcessor: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.AbstractProcessor.java:[374, 380]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.Request: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.Request.java:[424, 426]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.catalina.connector.Request: java.lang.String getRemoteAddr()> (org.apache.catalina.connector.Request.java:[1289]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <com.boylegu.springboot_vue.config.WebLogAspect: void doBefore(org.aspectj.lang.JoinPoint)> (com.boylegu.springboot_vue.config.WebLogAspect.java:[48]) in /detect/unzip/SpringBoot-vue-master/target/classes
Hi, In SpringBoot-vue,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.15 that calls the risk method.
CVE-2019-10072
The scope of this CVE affected version is [8.5.0, 8.5.40) || [9.0.0.M1, 9.0.20)
After further analysis, in this project, the main Api called is <org.apache.coyote.http2.Http2UpgradeHandler: void close()>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 9
Dependency tree--
Suggested solutions:
Update dependency version to 8.5.40 or higher
Thank you very much.