search

dromara / hutool

🍬A set of tools that keep Java sweet.
https://hutool.cn
Other
28.95k stars 7.49k forks source link

Dependency org.yaml:snakeyaml, leading to CVE problem #2999

Closed CVEDetect closed 1 year ago

CVEDetect commented 1 year ago

Hi, In /hutool-extra,there is a dependency org.yaml:snakeyaml:1.30 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
cn.hutool.extra.tokenizer.engine.hanlp.HanLPResult: next()Lcn.hutool.extra.tokenizer.Word; .m2/repository/com/ibeetl/beetl-default-antlr4.9-support/3.14.1.RELEASE/beetl-default-antlr4.9-support-3.14.1.RELEASE.jar
org.yaml.snakeyaml.Yaml$1: next()Ljava.lang.Object; .m2/repository/org/ow2/asm/asm/7.1/asm-7.1.jar
org.yaml.snakeyaml.constructor.BaseConstructor: getData()Ljava.lang.Object; .m2/repository/org/ow2/asm/asm/7.1/asm-7.1.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; .m2/repository/org/ow2/asm/asm/7.1/asm-7.1.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] cn.hutool:hutool-extra:jar:5.8.13
[INFO] +- cn.hutool:hutool-core:jar:5.8.13:compile
[INFO] +- cn.hutool:hutool-setting:jar:5.8.13:compile
[INFO] |  \- cn.hutool:hutool-log:jar:5.8.13:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:4.0.1:provided
[INFO] +- jakarta.servlet:jakarta.servlet-api:jar:5.0.0:provided
[INFO] +- org.apache.velocity:velocity-engine-core:jar:2.3:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.11:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- com.ibeetl:beetl:jar:3.14.1.RELEASE:compile
[INFO] |  +- org.antlr:antlr4-runtime:jar:4.9.3:compile
[INFO] |  +- com.ibeetl:beetl-core:jar:3.14.1.RELEASE:compile
[INFO] |  +- com.ibeetl:beetl-default-antlr4.9-support:jar:3.14.1.RELEASE:compile
[INFO] |  \- com.ibeetl:beetl-ext:jar:3.14.1.RELEASE:compile
[INFO] +- org.rythmengine:rythm-engine:jar:1.4.2:compile
[INFO] |  +- org.eclipse.jdt.core.compiler:ecj:jar:4.6.1:compile
[INFO] |  +- com.stevesoft.pat:pat:jar:1.5.3:compile
[INFO] |  +- commons-io:commons-io:jar:2.11.0:compile
[INFO] |  +- com.alibaba:fastjson:jar:1.2.83:compile
[INFO] |  +- org.osgl:osgl-version:jar:2.0.0-BETA-4-JAVA7:compile
[INFO] |  \- org.osgl:osgl-ut:jar:2.0.0-BETA-4-JAVA7:compile
[INFO] |     \- org.hamcrest:hamcrest-junit:jar:2.0.0.0:compile
[INFO] |        \- org.hamcrest:java-hamcrest:jar:2.0.0.0:compile
[INFO] +- org.freemarker:freemarker:jar:2.3.32:compile
[INFO] +- com.jfinal:enjoy:jar:5.0.3:compile
[INFO] +- org.thymeleaf:thymeleaf:jar:3.0.15.RELEASE:compile
[INFO] |  +- ognl:ognl:jar:3.1.26:compile
[INFO] |  |  \- org.javassist:javassist:jar:3.20.0-GA:compile
[INFO] |  +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile
[INFO] |  \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile
[INFO] +- org.febit.wit:wit-core:jar:2.6.0:compile
[INFO] +- com.github.subchen:jetbrick-template:jar:2.1.10:compile
[INFO] |  \- com.github.subchen:jetbrick-commons:jar:2.1.9:compile
[INFO] +- com.sun.mail:javax.mail:jar:1.6.2:compile
[INFO] |  \- javax.activation:activation:jar:1.1:compile
[INFO] +- com.jcraft:jsch:jar:0.1.55:compile
[INFO] +- com.hierynomus:sshj:jar:0.35.0:compile
[INFO] |  +- org.bouncycastle:bcprov-jdk15on:jar:1.70:runtime
[INFO] |  +- org.bouncycastle:bcpkix-jdk15on:jar:1.70:runtime
[INFO] |  |  \- org.bouncycastle:bcutil-jdk15on:jar:1.70:runtime
[INFO] |  +- com.jcraft:jzlib:jar:1.1.3:runtime
[INFO] |  +- com.hierynomus:asn-one:jar:0.6.0:runtime
[INFO] |  \- net.i2p.crypto:eddsa:jar:0.3.0:runtime
[INFO] +- ch.ethz.ganymed:ganymed-ssh2:jar:262:compile
[INFO] +- com.google.zxing:core:jar:3.5.1:compile
[INFO] +- commons-net:commons-net:jar:3.9.0:compile
[INFO] +- org.apache.ftpserver:ftpserver-core:jar:1.2.0:compile
[INFO] |  +- org.apache.ftpserver:ftplet-api:jar:1.2.0:compile
[INFO] |  \- org.apache.mina:mina-core:jar:2.1.6:compile
[INFO] +- com.vdurmont:emoji-java:jar:5.1.1:compile
[INFO] |  \- org.json:json:jar:20170516:compile
[INFO] +- org.ansj:ansj_seg:jar:5.1.6:compile
[INFO] |  \- org.nlpcn:nlp-lang:jar:1.7.7:compile
[INFO] +- com.huaban:jieba-analysis:jar:1.0.2:compile
[INFO] +- org.lionsoul:jcseg-core:jar:2.6.2:compile
[INFO] +- com.chenlb.mmseg4j:mmseg4j-core:jar:1.10.0:compile
[INFO] +- com.janeluo:ikanalyzer:jar:2012_u6:compile
[INFO] +- com.hankcs:hanlp:jar:portable-1.8.3:compile
[INFO] +- org.apache.lucene:lucene-analyzers-smartcn:jar:8.11.2:compile
[INFO] |  +- org.apache.lucene:lucene-analyzers-common:jar:8.11.2:compile
[INFO] |  \- org.apache.lucene:lucene-core:jar:8.11.2:compile
[INFO] +- org.apdplat:word:jar:1.3.1:compile
[INFO] |  +- org.apache.lucene:lucene-queryparser:jar:4.10.4:compile
[INFO] |  |  +- org.apache.lucene:lucene-queries:jar:4.10.4:compile
[INFO] |  |  \- org.apache.lucene:lucene-sandbox:jar:4.10.4:compile
[INFO] |  \- org.apache.lucene:lucene-suggest:jar:4.10.4:compile
[INFO] |     \- org.apache.lucene:lucene-misc:jar:4.10.4:compile
[INFO] +- com.mayabot.mynlp:mynlp-segment:jar:3.0.2:compile
[INFO] |  +- com.mayabot.mynlp:mynlp-core:jar:3.0.2:compile
[INFO] |  |  +- org.jetbrains.kotlin:kotlin-stdlib:jar:1.3.50:compile
[INFO] |  |  |  +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.3.50:compile
[INFO] |  |  |  \- org.jetbrains:annotations:jar:13.0:compile
[INFO] |  |  \- com.google.guava:guava:jar:19.0:compile
[INFO] |  +- com.mayabot.mynlp:mynlp-perceptron:jar:3.0.2:compile
[INFO] |  +- com.mayabot.mynlp.resource:mynlp-resource-coredict:jar:1.0.0:runtime
[INFO] |  +- com.mayabot.mynlp.resource:mynlp-resource-pos:jar:1.0.0:runtime
[INFO] |  \- com.mayabot.mynlp.resource:mynlp-resource-ner:jar:1.0.0:runtime
[INFO] +- org.springframework.boot:spring-boot-starter:jar:2.7.5:compile
[INFO] |  +- org.springframework.boot:spring-boot:jar:2.7.5:compile
[INFO] |  |  \- org.springframework:spring-context:jar:5.3.23:compile
[INFO] |  |     +- org.springframework:spring-aop:jar:5.3.23:compile
[INFO] |  |     \- org.springframework:spring-beans:jar:5.3.23:compile
[INFO] |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.5:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.5:compile
[INFO] |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  +- org.springframework:spring-core:jar:5.3.23:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.3.23:compile
[INFO] |  \- org.yaml:snakeyaml:jar:1.30:compile
[INFO] +- io.github.biezhi:TinyPinyin:jar:2.0.3.RELEASE:compile
[INFO] |  \- org.ahocorasick:ahocorasick:jar:0.4.0:compile
[INFO] +- com.belerweb:pinyin4j:jar:2.5.1:compile
[INFO] +- com.github.stuxuhai:jpinyin:jar:1.1.8:compile
[INFO] +- com.rnkrsoft.bopomofo4j:bopomofo4j:jar:1.0.0:compile
[INFO] +- com.github.houbb:pinyin:jar:0.3.1:compile
[INFO] |  +- com.github.houbb:heaven:jar:0.1.154:compile
[INFO] |  |  \- org.apiguardian:apiguardian-api:jar:1.0.0:compile
[INFO] |  \- com.github.houbb:nlp-common:jar:0.0.3:compile
[INFO] +- cglib:cglib:jar:3.3.0:compile
[INFO] |  \- org.ow2.asm:asm:jar:7.1:compile
[INFO] +- jakarta.validation:jakarta.validation-api:jar:3.0.2:compile
[INFO] +- org.hibernate.validator:hibernate-validator:jar:7.0.4.Final:test
[INFO] |  +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:test
[INFO] |  \- com.fasterxml:classmate:jar:1.5.1:test
[INFO] +- org.glassfish:jakarta.el:jar:4.0.2:test
[INFO] |  \- jakarta.el:jakarta.el-api:jar:4.0.0:test
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.7.5:test
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.7.5:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.5:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.7.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.4.7:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:2.4.7:test
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:test
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:test
[INFO] |  +- org.assertj:assertj-core:jar:3.22.0:test
[INFO] |  +- org.hamcrest:hamcrest:jar:2.2:test
[INFO] |  +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
[INFO] |  |  +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
[INFO] |  |  \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
[INFO] |  |     \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
[INFO] |  |        +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  |        \- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  +- org.mockito:mockito-core:jar:4.5.1:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.12.9:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.9:compile
[INFO] |  |  \- org.objenesis:objenesis:jar:3.2:runtime
[INFO] |  +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.1:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-test:jar:5.3.23:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.9.0:test
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.11:test
[INFO] |  \- ch.qos.logback:logback-core:jar:1.2.11:test
[INFO] +- com.googlecode.aviator:aviator:jar:5.3.3:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:test
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- commons-collections:commons-collections:jar:3.2.2:test
[INFO] +- org.apache.commons:commons-jexl3:jar:3.2.1:compile
[INFO] +- org.mvel:mvel2:jar:2.4.14.Final:compile
[INFO] +- com.jfirer:jfireEl:jar:1.0:compile
[INFO] |  \- com.jfirer:baseutil:jar:1.0:compile
[INFO] +- org.springframework:spring-expression:jar:5.3.23:compile
[INFO] +- org.mozilla:rhino:jar:1.7.14:compile
[INFO] +- com.alibaba:QLExpress:jar:3.3.1:compile
[INFO] |  \- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- org.apache.commons:commons-compress:jar:1.22:compile
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- org.projectlombok:lombok:jar:1.18.24:test

Suggested solutions:

Update dependency version

Thank you very much.

looly commented 1 year ago

see pr reply