Closed CVEDetect closed 1 year ago
Hi, In cf-polyfill,there is a dependency org.eclipse.jetty:jetty-http:9.2.7.v20150116 that calls the risk method.
CVE-2017-7656
The scope of this CVE affected version is [,9.3.24.v20180605) [9.4.0.M0,9.4.11.v20180605)
After further analysis, in this project, the main Api called is org.eclipse.jetty.http.HttpParser: parseContent(java.nio.ByteBuffer)Z
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 10
org.eclipse.californium.tools.PolyfillProxy$CoapRequestServlet: doPost(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse)V .m2/repository/org/ow2/asm/asm-commons/5.0.1/asm-commons-5.0.1.jar org.eclipse.jetty.server.Request: getReader()Ljava.io.BufferedReader; .m2/repository/org/eclipse/jetty/jetty-server/9.2.7.v20150116/jetty-server-9.2.7.v20150116.jar org.eclipse.jetty.server.Request: getInputStream()Ljavax.servlet.ServletInputStream; .m2/repository/org/eclipse/jetty/jetty-server/9.2.7.v20150116/jetty-server-9.2.7.v20150116.jar org.eclipse.jetty.server.HttpInput: available()I .m2/repository/org/eclipse/jetty/jetty-server/9.2.7.v20150116/jetty-server-9.2.7.v20150116.jar org.eclipse.jetty.server.HttpInput: getNextContent()Ljava.lang.Object; .m2/repository/org/eclipse/jetty/jetty-server/9.2.7.v20150116/jetty-server-9.2.7.v20150116.jar org.eclipse.jetty.server.HttpInputOverHTTP: nextContent()Ljava.lang.Object; .m2/repository/org/eclipse/jetty/jetty-server/9.2.7.v20150116/jetty-server-9.2.7.v20150116.jar org.eclipse.jetty.server.HttpInputOverHTTP: nextContent()Ljava.nio.ByteBuffer; .m2/repository/org/eclipse/jetty/jetty-server/9.2.7.v20150116/jetty-server-9.2.7.v20150116.jar org.eclipse.jetty.server.HttpConnection: parseContent()V .m2/repository/org/eclipse/jetty/jetty-server/9.2.7.v20150116/jetty-server-9.2.7.v20150116.jar org.eclipse.jetty.http.HttpParser: parseNext(java.nio.ByteBuffer)Z .m2/repository/org/eclipse/californium/californium-legal/3.8.0-SNAPSHOT/californium-legal-3.8.0-SNAPSHOT.jar org.eclipse.jetty.http.HttpParser: parseContent(java.nio.ByteBuffer)Z
Dependency tree--
[INFO] org.eclipse.californium:cf-polyfill:jar:3.8.0-SNAPSHOT [INFO] +- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.2.7.v20150116:compile [INFO] | +- org.eclipse.jetty:jetty-annotations:jar:9.2.7.v20150116:compile [INFO] | | +- org.eclipse.jetty:jetty-plus:jar:9.2.7.v20150116:compile [INFO] | | | \- org.eclipse.jetty:jetty-jndi:jar:9.2.7.v20150116:compile [INFO] | | +- org.eclipse.jetty:jetty-webapp:jar:9.2.7.v20150116:compile [INFO] | | | \- org.eclipse.jetty:jetty-xml:jar:9.2.7.v20150116:compile [INFO] | | +- javax.annotation:javax.annotation-api:jar:1.2:compile [INFO] | | +- org.ow2.asm:asm:jar:5.0.1:compile [INFO] | | \- org.ow2.asm:asm-commons:jar:5.0.1:compile [INFO] | | \- org.ow2.asm:asm-tree:jar:5.0.1:compile [INFO] | +- org.eclipse.jetty.websocket:javax-websocket-client-impl:jar:9.2.7.v20150116:compile [INFO] | | \- org.eclipse.jetty.websocket:websocket-client:jar:9.2.7.v20150116:compile [INFO] | | +- org.eclipse.jetty:jetty-util:jar:9.2.7.v20150116:compile [INFO] | | \- org.eclipse.jetty:jetty-io:jar:9.2.7.v20150116:compile [INFO] | +- org.eclipse.jetty.websocket:websocket-server:jar:9.2.7.v20150116:compile [INFO] | | +- org.eclipse.jetty.websocket:websocket-common:jar:9.2.7.v20150116:compile [INFO] | | | \- org.eclipse.jetty.websocket:websocket-api:jar:9.2.7.v20150116:compile [INFO] | | +- org.eclipse.jetty.websocket:websocket-servlet:jar:9.2.7.v20150116:compile [INFO] | | | \- javax.servlet:javax.servlet-api:jar:3.1.0:compile [INFO] | | +- org.eclipse.jetty:jetty-servlet:jar:9.2.7.v20150116:compile [INFO] | | | \- org.eclipse.jetty:jetty-security:jar:9.2.7.v20150116:compile [INFO] | | | \- org.eclipse.jetty:jetty-server:jar:9.2.7.v20150116:compile [INFO] | | \- org.eclipse.jetty:jetty-http:jar:9.2.7.v20150116:compile [INFO] | \- javax.websocket:javax.websocket-api:jar:1.0:compile [INFO] +- com.google.code.gson:gson:jar:2.10:compile [INFO] +- junit:junit:jar:4.13.2:test [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] +- org.eclipse.californium:californium-core:jar:3.8.0-SNAPSHOT:compile [INFO] | +- org.eclipse.californium:element-connector:jar:3.8.0-SNAPSHOT:compile [INFO] | | \- net.i2p.crypto:eddsa:jar:0.3.0:runtime [INFO] | \- org.slf4j:slf4j-api:jar:1.7.36:compile [INFO] +- ch.qos.logback:logback-classic:jar:1.2.11:runtime [INFO] | \- ch.qos.logback:logback-core:jar:1.2.11:runtime [INFO] \- org.eclipse.californium:californium-legal:jar:3.8.0-SNAPSHOT:runtime
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In cf-polyfill,there is a dependency org.eclipse.jetty:jetty-http:9.2.7.v20150116 that calls the risk method.
CVE-2017-7656
The scope of this CVE affected version is [,9.3.24.v20180605) [9.4.0.M0,9.4.11.v20180605)
After further analysis, in this project, the main Api called is org.eclipse.jetty.http.HttpParser: parseContent(java.nio.ByteBuffer)Z
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 10
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.