search

dromara / TLog

Lightweight distributed log label tracking framwork
MIT License
554 stars 111 forks source link

Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem #16

Open CVEDetect opened 1 year ago

CVEDetect commented 1 year ago

Hi, in tlog-webroot/,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.34 that calls the risk method.

CVE-2019-17563

The scope of this CVE affected version is [9.0.0.M1, 9.0.30),[8.5.0,8.5.50),[,7.0.99)

After further analysis, in this project, the main Api called is org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

com.yomahub.tlog.web.filter.ReplaceStreamFilter: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse,javax.servlet.FilterChain) .m2/repository/org/slf4j/jul-to-slf4j/1.7.25/jul-to-slf4j-1.7.25.jar
org.apache.catalina.core.ApplicationFilterChain: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar
org.apache.catalina.core.ApplicationFilterChain: internalDoFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse) .m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar
org.apache.catalina.connector.Request: getUserPrincipal()Ljava.security.Principal; .m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar
org.apache.catalina.connector.Request: logout() .m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar
org.apache.catalina.authenticator.AuthenticatorBase: logout(org.apache.catalina.connector.Request) .m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String) .m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.34/tomcat-embed-core-8.5.34.jar
org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)

Dependency tree--

[INFO] com.yomahub:tlog-webroot:jar:1.5.0
[INFO] +- com.yomahub:tlog-core:jar:1.5.0:compile
[INFO] |  +- com.yomahub:tlog-common:jar:1.5.0:compile
[INFO] |  |  +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] |  |  +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] |  |  +- cn.hutool:hutool-core:jar:5.8.6:compile
[INFO] |  |  \- com.alibaba:transmittable-thread-local:jar:2.12.2:compile
[INFO] |  +- org.dom4j:dom4j:jar:2.1.3:compile
[INFO] |  +- org.javassist:javassist:jar:3.22.0-GA:compile
[INFO] |  +- org.aspectj:aspectjweaver:jar:1.8.13:compile
[INFO] |  +- com.alibaba:fastjson:jar:1.2.83:compile
[INFO] |  \- com.alibaba:QLExpress:jar:3.2.0:compile
[INFO] |     +- commons-beanutils:commons-beanutils:jar:1.8.2:compile
[INFO] |     +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |     \- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.springframework:spring-webmvc:jar:5.0.9.RELEASE:provided
[INFO] |  +- org.springframework:spring-aop:jar:5.0.9.RELEASE:provided
[INFO] |  +- org.springframework:spring-beans:jar:5.0.9.RELEASE:provided
[INFO] |  +- org.springframework:spring-context:jar:5.0.9.RELEASE:provided
[INFO] |  +- org.springframework:spring-core:jar:5.0.9.RELEASE:provided
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.0.9.RELEASE:provided
[INFO] |  +- org.springframework:spring-expression:jar:5.0.9.RELEASE:provided
[INFO] |  \- org.springframework:spring-web:jar:5.0.9.RELEASE:provided
[INFO] \- org.springframework.boot:spring-boot-starter-web:jar:2.0.5.RELEASE:provided
[INFO]    +- org.springframework.boot:spring-boot-starter:jar:2.0.5.RELEASE:provided
[INFO]    |  +- org.springframework.boot:spring-boot:jar:2.0.5.RELEASE:provided
[INFO]    |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.0.5.RELEASE:provided
[INFO]    |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.0.5.RELEASE:provided
[INFO]    |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:provided
[INFO]    |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:provided
[INFO]    |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.10.0:provided
[INFO]    |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.12.0:provided
[INFO]    |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.25:provided
[INFO]    |  +- javax.annotation:javax.annotation-api:jar:1.3.2:provided
[INFO]    |  \- org.yaml:snakeyaml:jar:1.19:provided
[INFO]    +- org.springframework.boot:spring-boot-starter-json:jar:2.0.5.RELEASE:provided
[INFO]    |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.6:provided
[INFO]    |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:provided
[INFO]    |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.9.6:provided
[INFO]    |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.6:provided
[INFO]    |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.6:provided
[INFO]    |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.6:provided
[INFO]    +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.0.5.RELEASE:provided
[INFO]    |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.34:provided
[INFO]    |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.34:provided
[INFO]    |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.34:provided
[INFO]    \- org.hibernate.validator:hibernate-validator:jar:6.0.12.Final:provided
[INFO]       +- javax.validation:validation-api:jar:2.0.1.Final:provided
[INFO]       +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:provided
[INFO]       \- com.fasterxml:classmate:jar:1.3.4:provided

Suggested solutions:

Update dependency version

Thank you very much.