Open CVEDetect opened 1 year ago
Hi, In /mock-web,there is a dependency org.springframework:spring-beans:5.2.9.RELEASE that calls the risk method.
CVE-2022-22970
The scope of this CVE affected version is [,5.2.22.RELEASE) [5.3.0,5.3.20)
After further analysis, in this project, the main Api called is org.springframework.beans.CachedIntrospectionResults: introspectInterfaces(java.lang.Class,java.lang.Class)V
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
com.tester.jvm.mock.service.convert.RecordDetailConverter: convert(com.tester.jvm.mock.dal.model.Record)Lcom.tester.jvm.mock.common.domain.RecordDetailBO; /download/apache-maven-3.6.3/repository_mount/org/springframework/data/spring-data-rest-webmvc/3.3.4.RELEASE/spring-data-rest-webmvc-3.3.4.RELEASE.jar org.springframework.beans.BeanUtils: copyProperties(java.lang.Object,java.lang.Object)V /download/apache-maven-3.6.3/repository_mount/org/springframework/data/spring-data-rest-webmvc/3.3.4.RELEASE/spring-data-rest-webmvc-3.3.4.RELEASE.jar org.springframework.beans.BeanUtils: copyProperties(java.lang.Object,java.lang.Object,java.lang.Class,java.lang.String[])V /download/apache-maven-3.6.3/repository_mount/org/springframework/data/spring-data-rest-webmvc/3.3.4.RELEASE/spring-data-rest-webmvc-3.3.4.RELEASE.jar org.springframework.beans.BeanUtils: getPropertyDescriptors(java.lang.Class)[Ljava.beans.PropertyDescriptor; /download/apache-maven-3.6.3/repository_mount/org/springframework/data/spring-data-rest-webmvc/3.3.4.RELEASE/spring-data-rest-webmvc-3.3.4.RELEASE.jar org.springframework.beans.CachedIntrospectionResults: forClass(java.lang.Class)Lorg.springframework.beans.CachedIntrospectionResults; /download/apache-maven-3.6.3/repository_mount/org/springframework/data/spring-data-rest-webmvc/3.3.4.RELEASE/spring-data-rest-webmvc-3.3.4.RELEASE.jar org.springframework.beans.CachedIntrospectionResults: init(java.lang.Class)V /download/apache-maven-3.6.3/repository_mount/org/springframework/data/spring-data-rest-webmvc/3.3.4.RELEASE/spring-data-rest-webmvc-3.3.4.RELEASE.jar org.springframework.beans.CachedIntrospectionResults: introspectInterfaces(java.lang.Class,java.lang.Class)V
Dependency tree--
[INFO] com.tester.jvm:mock-web:jar:1.0-SNAPSHOT [INFO] +- org.springframework.boot:spring-boot-dependencies:pom:2.3.4.RELEASE:import [INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.3.4.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.3.4.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot:jar:2.3.4.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.3.4.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.3.4.RELEASE:compile [INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile [INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile [INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile [INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.26:compile [INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.3.4.RELEASE:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.11.2:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.11.2:compile [INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.11.2:compile [INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.3.4.RELEASE:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.38:compile [INFO] | | +- org.glassfish:jakarta.el:jar:3.0.3:compile [INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.38:compile [INFO] | +- org.springframework:spring-web:jar:5.2.9.RELEASE:compile [INFO] | | \- org.springframework:spring-beans:jar:5.2.9.RELEASE:compile [INFO] | \- org.springframework:spring-webmvc:jar:5.2.9.RELEASE:compile [INFO] | +- org.springframework:spring-aop:jar:5.2.9.RELEASE:compile [INFO] | +- org.springframework:spring-context:jar:5.2.9.RELEASE:compile [INFO] | \- org.springframework:spring-expression:jar:5.2.9.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.3.4.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test:jar:2.3.4.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.3.4.RELEASE:test [INFO] | +- com.jayway.jsonpath:json-path:jar:2.4.0:compile [INFO] | | \- net.minidev:json-smart:jar:2.3:compile [INFO] | | \- net.minidev:accessors-smart:jar:1.2:compile [INFO] | | \- org.ow2.asm:asm:jar:5.0.4:compile [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test [INFO] | | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test [INFO] | +- org.assertj:assertj-core:jar:3.16.1:test [INFO] | +- org.hamcrest:hamcrest:jar:2.2:test [INFO] | +- org.junit.jupiter:junit-jupiter:jar:5.6.2:test [INFO] | | +- org.junit.jupiter:junit-jupiter-api:jar:5.6.2:test [INFO] | | | +- org.apiguardian:apiguardian-api:jar:1.1.0:test [INFO] | | | +- org.opentest4j:opentest4j:jar:1.2.0:test [INFO] | | | \- org.junit.platform:junit-platform-commons:jar:1.6.2:test [INFO] | | +- org.junit.jupiter:junit-jupiter-params:jar:5.6.2:test [INFO] | | \- org.junit.jupiter:junit-jupiter-engine:jar:5.6.2:test [INFO] | | \- org.junit.platform:junit-platform-engine:jar:1.6.2:test [INFO] | +- org.mockito:mockito-core:jar:3.3.3:test [INFO] | | +- net.bytebuddy:byte-buddy:jar:1.10.5:compile [INFO] | | +- net.bytebuddy:byte-buddy-agent:jar:1.10.5:test [INFO] | | \- org.objenesis:objenesis:jar:2.6:test [INFO] | +- org.mockito:mockito-junit-jupiter:jar:3.3.3:test [INFO] | +- org.skyscreamer:jsonassert:jar:1.5.0:test [INFO] | | \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test [INFO] | +- org.springframework:spring-core:jar:5.2.9.RELEASE:compile [INFO] | | \- org.springframework:spring-jcl:jar:5.2.9.RELEASE:compile [INFO] | +- org.springframework:spring-test:jar:5.2.9.RELEASE:test [INFO] | \- org.xmlunit:xmlunit-core:jar:2.7.0:test [INFO] +- org.springframework.boot:spring-boot-starter-velocity:jar:1.4.7.RELEASE:compile [INFO] | +- commons-beanutils:commons-beanutils:jar:1.9.3:compile [INFO] | +- commons-collections:commons-collections:jar:3.2.2:compile [INFO] | +- commons-digester:commons-digester:jar:2.1:compile [INFO] | +- org.apache.velocity:velocity:jar:1.7:compile [INFO] | | \- commons-lang:commons-lang:jar:2.4:compile [INFO] | +- org.apache.velocity:velocity-tools:jar:2.0:compile [INFO] | | +- commons-chain:commons-chain:jar:1.1:compile [INFO] | | +- commons-validator:commons-validator:jar:1.3.1:compile [INFO] | | +- dom4j:dom4j:jar:1.1:compile [INFO] | | +- oro:oro:jar:2.0.8:compile [INFO] | | +- sslext:sslext:jar:1.2-0:compile [INFO] | | +- org.apache.struts:struts-core:jar:1.3.8:compile [INFO] | | +- org.apache.struts:struts-taglib:jar:1.3.8:compile [INFO] | | \- org.apache.struts:struts-tiles:jar:1.3.8:compile [INFO] | \- org.springframework:spring-context-support:jar:4.3.9.RELEASE:compile [INFO] +- org.testng:testng:jar:6.14.3:test [INFO] | +- com.beust:jcommander:jar:1.72:test [INFO] | \- org.apache-extras.beanshell:bsh:jar:2.0b6:test [INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.3.4.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-aop:jar:2.3.4.RELEASE:compile [INFO] | | \- org.aspectj:aspectjweaver:jar:1.9.6:compile [INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.3.4.RELEASE:compile [INFO] | | +- com.zaxxer:HikariCP:jar:3.4.5:compile [INFO] | | \- org.springframework:spring-jdbc:jar:5.2.9.RELEASE:compile [INFO] | +- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile [INFO] | +- jakarta.persistence:jakarta.persistence-api:jar:2.2.3:compile [INFO] | +- org.hibernate:hibernate-core:jar:5.4.21.Final:compile [INFO] | | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile [INFO] | | +- org.javassist:javassist:jar:3.24.0-GA:compile [INFO] | | +- antlr:antlr:jar:2.7.7:compile [INFO] | | +- org.jboss:jandex:jar:2.1.3.Final:compile [INFO] | | +- com.fasterxml:classmate:jar:1.5.1:compile [INFO] | | +- org.dom4j:dom4j:jar:2.1.3:compile [INFO] | | +- org.hibernate.common:hibernate-commons-annotations:jar:5.1.0.Final:compile [INFO] | | \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.1:compile [INFO] | | +- org.glassfish.jaxb:txw2:jar:2.3.1:compile [INFO] | | +- com.sun.istack:istack-commons-runtime:jar:3.0.7:compile [INFO] | | +- org.jvnet.staxex:stax-ex:jar:1.8:compile [INFO] | | \- com.sun.xml.fastinfoset:FastInfoset:jar:1.2.15:compile [INFO] | +- org.springframework.data:spring-data-jpa:jar:2.3.4.RELEASE:compile [INFO] | | +- org.springframework.data:spring-data-commons:jar:2.3.4.RELEASE:compile [INFO] | | +- org.springframework:spring-orm:jar:5.2.9.RELEASE:compile [INFO] | | \- org.springframework:spring-tx:jar:5.2.9.RELEASE:compile [INFO] | \- org.springframework:spring-aspects:jar:5.2.9.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-starter-data-rest:jar:2.3.4.RELEASE:compile [INFO] | \- org.springframework.data:spring-data-rest-webmvc:jar:3.3.4.RELEASE:compile [INFO] | \- org.springframework.data:spring-data-rest-core:jar:3.3.4.RELEASE:compile [INFO] | +- org.springframework.hateoas:spring-hateoas:jar:1.1.1.RELEASE:compile [INFO] | +- org.springframework.plugin:spring-plugin-core:jar:2.0.0.RELEASE:compile [INFO] | \- org.atteo:evo-inflector:jar:1.2.2:compile [INFO] +- mysql:mysql-connector-java:jar:5.1.6:compile [INFO] +- org.projectlombok:lombok:jar:1.18.12:compile [INFO] +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] +- com.google.guava:guava:jar:22.0:compile [INFO] | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile [INFO] | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile [INFO] | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile [INFO] +- org.apache.commons:commons-lang3:jar:3.4:compile [INFO] +- joda-time:joda-time:jar:2.9.4:compile [INFO] +- velocity:velocity-dep:jar:1.4:compile [INFO] +- org.springframework.boot:spring-boot-starter-websocket:jar:2.4.2:compile [INFO] | +- org.springframework:spring-messaging:jar:5.3.3:compile [INFO] | \- org.springframework:spring-websocket:jar:5.3.3:compile [INFO] +- com.alibaba.jvm.sandbox:sandbox-api:jar:1.2.0:compile [INFO] | +- com.alibaba.jvm.sandbox:sandbox-common-api:jar:1.2.0:compile [INFO] | | \- javax.annotation:javax.annotation-api:jar:1.2:compile [INFO] | \- javax.servlet:javax.servlet-api:jar:3.0.1:compile [INFO] +- com.alibaba:transmittable-thread-local:jar:2.10.2:compile [INFO] +- org.slf4j:slf4j-api:jar:1.7.24:compile [INFO] +- ch.qos.logback:logback-classic:jar:1.2.1:compile [INFO] | \- ch.qos.logback:logback-core:jar:1.2.1:compile [INFO] +- com.alibaba:fastjson:jar:1.2.67:compile [INFO] +- com.squareup.okhttp3:okhttp:jar:3.9.0:compile [INFO] | \- com.squareup.okio:okio:jar:1.13.0:compile [INFO] +- commons-io:commons-io:jar:2.5:compile [INFO] +- org.apache.commons:commons-collections4:jar:4.1:compile [INFO] +- org.apache.commons:commons-csv:jar:1.7:compile [INFO] +- org.kohsuke.metainf-services:metainf-services:jar:1.8:compile [INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.11.2:compile [INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.2:compile [INFO] \- com.fasterxml.jackson.core:jackson-core:jar:2.11.2:compile
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In /mock-web,there is a dependency org.springframework:spring-beans:5.2.9.RELEASE that calls the risk method.
CVE-2022-22970
The scope of this CVE affected version is [,5.2.22.RELEASE) [5.3.0,5.3.20)
After further analysis, in this project, the main Api called is org.springframework.beans.CachedIntrospectionResults: introspectInterfaces(java.lang.Class,java.lang.Class)V
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.