search

denger / sendcloud4j

SendCloud SDK For Java (sendcloud4j)
MIT License
36 stars 24 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #23

Open CVEDetect opened 2 years ago

CVEDetect commented 2 years ago

Hi, In sendcloud4j,there is a dependency org.apache.httpcomponents:httpclient:4.5.1 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpHost getHttpHost(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[134]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.1/httpclient-4.5.1.jar
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.DecompressingHttpClient.java:[139]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.1/httpclient-4.5.1.jar
at <org.apache.http.client.fluent.Request: org.apache.http.HttpResponse internalExecute(org.apache.http.client.HttpClient,org.apache.http.protocol.HttpContext)> (org.apache.http.client.fluent.Request.java:[173]) in /.m2/repository/org/apache/httpcomponents/fluent-hc/4.5.1/fluent-hc-4.5.1.jar
at <org.apache.http.client.fluent.Request: org.apache.http.client.fluent.Response execute()> (org.apache.http.client.fluent.Request.java:[177]) in /.m2/repository/org/apache/httpcomponents/fluent-hc/4.5.1/fluent-hc-4.5.1.jar
at <io.jstack.sendcloud4j.mail.MailWebApi: java.lang.String requestSend(java.lang.String,io.jstack.sendcloud4j.mail.Email)> (io.jstack.sendcloud4j.mail.MailWebApi.java:[64]) in /detect/unzip/sendcloud4j-0.0.4/target/classes
at <io.jstack.sendcloud4j.mail.MailWebApi: io.jstack.sendcloud4j.mail.Result send(io.jstack.sendcloud4j.mail.Email)> (io.jstack.sendcloud4j.mail.MailWebApi.java:[38]) in /detect/unzip/sendcloud4j-0.0.4/target/classes

Dependency tree--

[INFO] io.jstack:sendcloud4j:jar:0.0.4
[INFO] +- org.slf4j:slf4j-api:jar:1.7.2:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.2:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.0.9:compile
[INFO] |  \- ch.qos.logback:logback-core:jar:1.0.9:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.5.1:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.1:compile
[INFO] |  |  +- org.apache.httpcomponents:httpcore:jar:4.4.3:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.apache.httpcomponents:httpmime:jar:4.5.1:compile
[INFO] +- org.json:json:jar:20140107:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 2 years ago

@denger Could please help me check this issue? May I pull a request to fix it? Thanks again.