search

boylegu / SpringBoot-vue

A example demo base SpringBooot with vueJS2.x + webpack2.x as Java full stack web practice
1.96k stars 865 forks source link

Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem #75

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In SpringBoot-vue,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.15 that calls the risk method.

CVE-2019-10072

The scope of this CVE affected version is [8.5.0, 8.5.40) || [9.0.0.M1, 9.0.20)

After further analysis, in this project, the main Api called is <org.apache.coyote.http2.Http2UpgradeHandler: void close()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 9

<org.apache.coyote.http2.Http2UpgradeHandler: void close()>
at <org.apache.coyote.http2.Http2UpgradeHandler: void closeConnection(org.apache.coyote.http2.Http2Exception)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[493]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.http2.Stream: void close(org.apache.coyote.http2.Http2Exception)> (org.apache.coyote.http2.Stream.java:[549, 552]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.http2.StreamProcessor: void process(org.apache.tomcat.util.net.SocketEvent)> (org.apache.coyote.http2.StreamProcessor.java:[86, 72, 78]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.http2.StreamProcessor: void processSocketEvent(org.apache.tomcat.util.net.SocketEvent,boolean)> (org.apache.coyote.http2.StreamProcessor.java:[164]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.AbstractProcessor: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.AbstractProcessor.java:[374, 380]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.coyote.Request: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.Request.java:[424, 426]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <org.apache.catalina.connector.Request: java.lang.String getRemoteAddr()> (org.apache.catalina.connector.Request.java:[1289]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.15/tomcat-embed-core-8.5.15.jar
at <com.boylegu.springboot_vue.config.WebLogAspect: void doBefore(org.aspectj.lang.JoinPoint)> (com.boylegu.springboot_vue.config.WebLogAspect.java:[48]) in /detect/unzip/SpringBoot-vue-master/target/classes

Dependency tree--

[INFO] com.boylegu:springboot_vue:jar:0.0.1-SNAPSHOT
[INFO] +- org.xerial:sqlite-jdbc:jar:3.7.2:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:1.5.4.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.4.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat:tomcat-jdbc:jar:8.5.15:compile
[INFO] |  |  |  \- org.apache.tomcat:tomcat-juli:jar:8.5.15:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:4.3.9.RELEASE:compile
[INFO] |  +- org.hibernate:hibernate-entitymanager:jar:5.0.12.Final:compile
[INFO] |  +- javax.transaction:javax.transaction-api:jar:1.2:compile
[INFO] |  +- org.springframework.data:spring-data-jpa:jar:1.11.4.RELEASE:compile
[INFO] |  |  +- org.springframework.data:spring-data-commons:jar:1.13.4.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-orm:jar:4.3.9.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-context:jar:4.3.9.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-tx:jar:4.3.9.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:4.3.9.RELEASE:compile
[INFO] |  |  +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] |  |  \- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
[INFO] |  \- org.springframework:spring-aspects:jar:4.3.9.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.4.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.4.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.15:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.15:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.15:compile
[INFO] |  +- org.hibernate:hibernate-validator:jar:5.3.5.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  \- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.8:compile
[INFO] |  +- org.springframework:spring-web:jar:4.3.9.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:4.3.9.RELEASE:compile
[INFO] |     \- org.springframework:spring-expression:jar:4.3.9.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter:jar:1.5.4.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot:jar:1.5.4.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.4.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-logging:jar:1.5.4.RELEASE:compile
[INFO] |  |  +- ch.qos.logback:logback-classic:jar:1.1.11:compile
[INFO] |  |  |  \- ch.qos.logback:logback-core:jar:1.1.11:compile
[INFO] |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO] |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.9.RELEASE:compile
[INFO] |  \- org.yaml:snakeyaml:jar:1.17:runtime
[INFO] +- org.springframework.boot:spring-boot-devtools:jar:1.5.4.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-aop:jar:1.5.4.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:4.3.9.RELEASE:compile
[INFO] |  \- org.aspectj:aspectjweaver:jar:1.8.10:compile
[INFO] \- org.hibernate:hibernate-core:jar:5.0.12.Final:compile
[INFO]    +- org.jboss.logging:jboss-logging:jar:3.3.1.Final:compile
[INFO]    +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO]    +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO]    +- antlr:antlr:jar:2.7.7:compile
[INFO]    +- org.apache.geronimo.specs:geronimo-jta_1.1_spec:jar:1.1.1:compile
[INFO]    +- org.jboss:jandex:jar:2.0.0.Final:compile
[INFO]    +- dom4j:dom4j:jar:1.6.1:compile
[INFO]    \- org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:compile

Suggested solutions:

Update dependency version to 8.5.40 or higher

Thank you very much.

CVEDetect commented 3 years ago

@danielbarcellos Could please help me check this issue? May I pull a request to fix it? Thanks again.