search

c0de8ug / javaee-tutorial

Maven + Mysql + Shiro + SpringMVC + Spring
200 stars 114 forks source link

Dependency org.apache.shiro:shiro-web, leading to CVE problem #13

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In javaee-tutorial,there is a dependency org.apache.shiro:shiro-web:1.2.4 that calls the risk method.

CVE-2020-11989

The scope of this CVE affected version is [,1.5.3)

After further analysis, in this project, the main Api called is <org.apache.shiro.web.util.WebUtils: java.lang.String getPathWithinApplication(javax.servlet.http.HttpServletRequest)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 3

<org.apache.shiro.web.util.WebUtils: java.lang.String getPathWithinApplication(javax.servlet.http.HttpServletRequest)>
at <com.giit.www.filter.FormLoginFilter: boolean isLoginRequest(javax.servlet.http.HttpServletRequest)> (com.giit.www.filter.FormLoginFilter.java:[60]) in /detect/unzip/javaee-tutorial-master/target/classes
at <com.giit.www.filter.FormLoginFilter: boolean onPreHandle(javax.servlet.ServletRequest,javax.servlet.ServletResponse,java.lang.Object)> (com.giit.www.filter.FormLoginFilter.java:[26]) in /detect/unzip/javaee-tutorial-master/target/classes

Dependency tree--

[INFO] core:com.giit.www.orderbook:war:1.0-SNAPSHOT
[INFO] +- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- org.apache.shiro:shiro-core:jar:1.4.2:compile
[INFO] |  +- org.apache.shiro:shiro-lang:jar:1.4.2:compile
[INFO] |  +- org.apache.shiro:shiro-cache:jar:1.4.2:compile
[INFO] |  +- org.apache.shiro:shiro-crypto-hash:jar:1.4.2:compile
[INFO] |  |  \- org.apache.shiro:shiro-crypto-core:jar:1.4.2:compile
[INFO] |  +- org.apache.shiro:shiro-crypto-cipher:jar:1.4.2:compile
[INFO] |  +- org.apache.shiro:shiro-config-core:jar:1.4.2:compile
[INFO] |  +- org.apache.shiro:shiro-config-ogdl:jar:1.4.2:compile
[INFO] |  |  \- commons-beanutils:commons-beanutils:jar:1.9.3:compile
[INFO] |  |     \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  \- org.apache.shiro:shiro-event:jar:1.4.2:compile
[INFO] +- org.apache.shiro:shiro-web:jar:1.2.4:compile
[INFO] +- org.apache.shiro:shiro-quartz:jar:1.2.4:compile
[INFO] |  \- org.opensymphony.quartz:quartz:jar:1.6.1:compile
[INFO] +- org.apache.shiro:shiro-spring:jar:1.2.4:compile
[INFO] +- org.apache.shiro:shiro-aspectj:jar:1.2.4:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.38:compile
[INFO] +- org.aspectj:aspectjrt:jar:1.8.8:compile
[INFO] +- org.aspectj:aspectjweaver:jar:1.8.8:compile
[INFO] |  \- org.springframework:spring-core:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework:spring-context-support:jar:4.2.4.RELEASE:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.2.4.RELEASE:compile
[INFO] |  \- org.springframework:spring-context:jar:4.2.4.RELEASE:compile
[INFO] |     \- org.springframework:spring-aop:jar:4.2.4.RELEASE:compile
[INFO] |        \- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.springframework:spring-jdbc:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework:spring-tx:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework:spring-webmvc:jar:4.2.4.RELEASE:compile
[INFO] |  +- org.springframework:spring-expression:jar:4.2.4.RELEASE:compile
[INFO] |  \- org.springframework:spring-web:jar:4.2.4.RELEASE:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- javax.servlet.jsp:jsp-api:jar:2.2:compile
[INFO] +- javax.servlet:jstl:jar:1.2:compile
[INFO] +- org.mybatis:mybatis-spring:jar:1.2.4:compile
[INFO] +- org.mybatis:mybatis:jar:3.3.1:compile
[INFO] +- cglib:cglib:jar:3.2.0:compile
[INFO] |  +- org.ow2.asm:asm:jar:5.0.3:compile
[INFO] |  \- org.apache.ant:ant:jar:1.9.4:compile
[INFO] |     \- org.apache.ant:ant-launcher:jar:1.9.4:compile
[INFO] +- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.14:compile
[INFO] +- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.3:compile
[INFO] |  \- org.apache.logging.log4j:log4j-api:jar:2.3:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.14:compile
[INFO] +- ognl:ognl:jar:3.1.2:compile
[INFO] |  \- javassist:javassist:jar:3.11.0.GA:compile
[INFO] +- org.javassist:javassist:jar:3.20.0-GA:compile
[INFO] +- org.apache.commons:commons-pool2:jar:2.3:compile
[INFO] +- org.apache.commons:commons-dbcp2:jar:2.1:compile
[INFO] +- com.google.code.gson:gson:jar:2.6:compile
[INFO] \- commons-fileupload:commons-fileupload:jar:1.3.3:compile
[INFO]    \- commons-io:commons-io:jar:2.2:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@c0de8ug Could please help me check this issue? May I pull a request to fix it? Thanks again.