search

espertechinc / esper

Esper Complex Event Processing, Streaming SQL and Event Series Analysis
GNU General Public License v2.0
841 stars 259 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #251

Closed CVEDetect closed 2 years ago

CVEDetect commented 3 years ago

Hi, In esper-release_8.7.0/esperio/esperio-http,there is a dependency org.apache.httpcomponents:httpclient:4.5.10 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpHost getHttpHost(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[137]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.10/httpclient-4.5.10.jar
at <org.apache.http.impl.client.DecompressingHttpClient: java.lang.Object execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.client.ResponseHandler)> (org.apache.http.impl.client.DecompressingHttpClient.java:[192]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.10/httpclient-4.5.10.jar
at <com.espertech.esperio.http.EsperIOHTTPUpdateListener: void processEvent(com.espertech.esper.common.client.EventBean)> (com.espertech.esperio.http.EsperIOHTTPUpdateListener.java:[105]) in /detect/unzip/esper-release_8.7.0/esperio/esperio-http/target/classes
at <com.espertech.esperio.http.EsperIOHTTPUpdateListener: void update(com.espertech.esper.common.client.EventBean[],com.espertech.esper.common.client.EventBean[],com.espertech.esper.runtime.client.EPStatement,com.espertech.esper.runtime.client.EPRuntime)> (com.espertech.esperio.http.EsperIOHTTPUpdateListener.java:[72]) in /detect/unzip/esper-release_8.7.0/esperio/esperio-http/target/classes

Dependency tree--

[INFO] com.espertech:esperio-http:jar:8.7.0
[INFO] +- com.espertech:esper-common:jar:8.7.0:compile
[INFO] +- com.espertech:esper-runtime:jar:8.7.0:compile
[INFO] +- com.espertech:esper-compiler:jar:8.7.0:compile
[INFO] |  +- org.codehaus.janino:janino:jar:3.1.0:compile
[INFO] |  \- org.codehaus.janino:commons-compiler:jar:3.1.0:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] +- org.antlr:antlr4-runtime:jar:4.7.2:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.12:compile
[INFO] +- org.apache.httpcomponents:httpcore-nio:jar:4.4.12:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.10:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile

Suggested solutions:

Update dependency version to 4.5.13 or higher

Thank you very much.

CVEDetect commented 3 years ago

@yangguang760 Could please help me check this issue? May I pull a request to fix it? Thanks again.