Closed CVEDetect closed 1 year ago
Hi, In services/pseudo_controller/,there is a dependency org.apache.httpcomponents:httpclient:4.5.11 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
com.futurewei.alcor.pseudo_controller.ncm_test.ncm_test: run_test_against_ncm()V .m2/repository/org/latencyutils/LatencyUtils/2.0.3/LatencyUtils-2.0.3.jar org.apache.http.impl.client.DecompressingHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpResponse; .m2/repository/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar org.apache.http.impl.client.DecompressingHttpClient: getHttpHost(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/org/apache/httpcomponents/httpclient/4.5.11/httpclient-4.5.11.jar org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;
Dependency tree--
[INFO] com.futurewei.alcor:pseudo_controller:jar:1.0-SNAPSHOT [INFO] +- com.futurewei.alcor:common:jar:0.1.0-SNAPSHOT:compile [INFO] | +- org.springframework.boot:spring-boot-starter-actuator:jar:2.1.6.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-starter:jar:2.1.6.RELEASE:compile [INFO] | | | +- org.springframework.boot:spring-boot:jar:2.1.6.RELEASE:compile [INFO] | | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.6.RELEASE:compile [INFO] | | | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile [INFO] | | | | | \- ch.qos.logback:logback-core:jar:1.2.3:compile [INFO] | | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.2:compile [INFO] | | | | | \- org.apache.logging.log4j:log4j-api:jar:2.11.2:compile [INFO] | | | | \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile [INFO] | | | \- org.yaml:snakeyaml:jar:1.23:runtime [INFO] | | +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.1.6.RELEASE:compile [INFO] | | | +- org.springframework.boot:spring-boot-actuator:jar:2.1.6.RELEASE:compile [INFO] | | | \- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.9:runtime [INFO] | | \- io.micrometer:micrometer-core:jar:1.1.5:compile [INFO] | | +- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile [INFO] | | \- org.latencyutils:LatencyUtils:jar:2.0.3:compile [INFO] | +- org.springframework.boot:spring-boot-starter-data-redis:jar:2.1.6.RELEASE:compile [INFO] | | +- org.springframework.data:spring-data-redis:jar:2.1.9.RELEASE:compile [INFO] | | | +- org.springframework.data:spring-data-keyvalue:jar:2.1.9.RELEASE:compile [INFO] | | | | \- org.springframework.data:spring-data-commons:jar:2.1.9.RELEASE:compile [INFO] | | | +- org.springframework:spring-oxm:jar:5.1.8.RELEASE:compile [INFO] | | | \- org.springframework:spring-context-support:jar:5.1.8.RELEASE:compile [INFO] | | \- io.lettuce:lettuce-core:jar:5.1.7.RELEASE:compile [INFO] | | +- io.netty:netty-common:jar:4.1.36.Final:compile [INFO] | | +- io.netty:netty-handler:jar:4.1.36.Final:compile [INFO] | | | +- io.netty:netty-buffer:jar:4.1.36.Final:compile [INFO] | | | \- io.netty:netty-codec:jar:4.1.36.Final:compile [INFO] | | +- io.netty:netty-transport:jar:4.1.36.Final:compile [INFO] | | | \- io.netty:netty-resolver:jar:4.1.36.Final:compile [INFO] | | \- io.projectreactor:reactor-core:jar:3.2.8.RELEASE:compile [INFO] | | \- org.reactivestreams:reactive-streams:jar:1.0.2:compile [INFO] | +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.1.6.RELEASE:compile [INFO] | | +- org.thymeleaf:thymeleaf-spring5:jar:3.0.11.RELEASE:compile [INFO] | | | \- org.thymeleaf:thymeleaf:jar:3.0.11.RELEASE:compile [INFO] | | | +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile [INFO] | | | \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile [INFO] | | \- org.thymeleaf.extras:thymeleaf-extras-java8time:jar:3.0.4.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-aop:jar:2.1.6.RELEASE:compile [INFO] | | +- org.springframework:spring-aop:jar:5.1.8.RELEASE:compile [INFO] | | \- org.aspectj:aspectjweaver:jar:1.9.4:compile [INFO] | +- org.apache.kafka:kafka-clients:jar:2.3.0:compile [INFO] | | +- com.github.luben:zstd-jni:jar:1.4.0-1:compile [INFO] | | +- org.lz4:lz4-java:jar:1.6.0:compile [INFO] | | +- org.xerial.snappy:snappy-java:jar:1.1.7.3:compile [INFO] | | \- org.slf4j:slf4j-api:jar:1.7.26:compile [INFO] | +- org.apache.commons:commons-pool2:jar:2.4.2:compile [INFO] | +- org.springframework.kafka:spring-kafka:jar:2.2.7.RELEASE:compile [INFO] | | +- org.springframework:spring-context:jar:5.1.7.RELEASE:compile [INFO] | | | \- org.springframework:spring-expression:jar:5.1.7.RELEASE:compile [INFO] | | +- org.springframework:spring-messaging:jar:5.1.7.RELEASE:compile [INFO] | | +- org.springframework:spring-tx:jar:5.1.7.RELEASE:compile [INFO] | | \- org.springframework.retry:spring-retry:jar:1.2.4.RELEASE:compile [INFO] | +- com.google.protobuf:protobuf-java:jar:3.16.3:compile [INFO] | +- io.grpc:grpc-netty-shaded:jar:1.42.2:compile [INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.9.0:compile [INFO] | | +- io.perfmark:perfmark-api:jar:0.23.0:runtime [INFO] | | \- io.grpc:grpc-core:jar:1.42.2:compile [INFO] | | +- com.google.android:annotations:jar:4.1.1.4:runtime [INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.19:runtime [INFO] | +- io.grpc:grpc-protobuf:jar:1.42.2:compile [INFO] | | +- io.grpc:grpc-api:jar:1.42.2:compile [INFO] | | | \- io.grpc:grpc-context:jar:1.42.2:compile [INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] | | +- com.google.api.grpc:proto-google-common-protos:jar:2.0.1:compile [INFO] | | \- io.grpc:grpc-protobuf-lite:jar:1.42.2:compile [INFO] | +- io.grpc:grpc-stub:jar:1.42.2:compile [INFO] | +- io.grpc:protoc-gen-grpc-java:pom:1.42.2:compile [INFO] | +- org.apache.ignite:ignite-core:jar:2.10.0:compile [INFO] | | +- javax.cache:cache-api:jar:1.0.0:compile [INFO] | | +- org.jetbrains:annotations:jar:16.0.3:compile [INFO] | | \- org.gridgain:ignite-shmem:jar:1.0.0:compile [INFO] | +- ai.grakn:redis-mock:jar:0.1.6:compile [INFO] | | \- com.github.kstyrc:embedded-redis:jar:0.6:compile [INFO] | | \- commons-io:commons-io:jar:2.4:compile [INFO] | +- org.projectlombok:lombok:jar:1.18.0:compile [INFO] | +- com.googlecode.json-simple:json-simple:jar:1.1.1:compile [INFO] | | \- junit:junit:jar:4.10:compile [INFO] | | \- org.hamcrest:hamcrest-core:jar:1.1:compile [INFO] | +- org.springframework:spring-web:jar:5.1.8.RELEASE:compile [INFO] | | +- org.springframework:spring-beans:jar:5.1.8.RELEASE:compile [INFO] | | \- org.springframework:spring-core:jar:5.1.8.RELEASE:compile [INFO] | | \- org.springframework:spring-jcl:jar:5.1.8.RELEASE:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-web:jar:2.1.1:compile [INFO] | | \- io.opentracing.contrib:opentracing-web-servlet-filter:jar:0.3.0:compile [INFO] | +- com.google.guava:guava:jar:31.1-jre:compile (version selected from constraint [30.0-jre,)) [INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile [INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | | +- org.checkerframework:checker-qual:jar:3.12.0:compile [INFO] | | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile [INFO] | \- org.apache.ignite:ignite-kubernetes:jar:2.12.0:compile [INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.12.4:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.4:compile [INFO] | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.4:compile [INFO] +- io.jaegertracing:jaeger-tracerresolver:jar:1.3.2:compile [INFO] | +- io.jaegertracing:jaeger-core:jar:1.3.2:compile [INFO] | | \- com.google.code.gson:gson:jar:2.8.6:compile [INFO] | \- io.opentracing.contrib:opentracing-tracerresolver:jar:0.1.8:compile [INFO] +- io.opentracing.contrib:opentracing-spring-jaeger-cloud-starter:jar:3.3.1:compile [INFO] | \- io.opentracing.contrib:opentracing-spring-jaeger-starter:jar:3.3.1:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-tracer-configuration-starter:jar:0.4.0:compile [INFO] | \- io.jaegertracing:jaeger-client:jar:1.3.2:compile [INFO] | \- io.jaegertracing:jaeger-thrift:jar:1.3.2:compile [INFO] | +- org.apache.thrift:libthrift:jar:0.13.0:compile [INFO] | \- com.squareup.okhttp3:okhttp:jar:4.2.2:compile [INFO] | +- com.squareup.okio:okio:jar:2.2.2:compile [INFO] | \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.3.50:compile [INFO] | \- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.3.50:compile [INFO] +- org.awaitility:awaitility:jar:4.1.0:compile [INFO] | \- org.hamcrest:hamcrest:jar:2.1:compile [INFO] +- io.opentracing.contrib:opentracing-spring-cloud-starter:jar:0.3.12:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-core:jar:0.3.12:compile [INFO] | | \- io.opentracing.contrib:opentracing-concurrent:jar:0.3.0:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-web-starter:jar:2.1.1:compile [INFO] | | \- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.5.RELEASE:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-messaging-starter:jar:0.1.2:compile [INFO] | | \- io.opentracing.contrib:opentracing-spring-messaging:jar:0.1.2:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-rabbitmq-starter:jar:2.0.5:compile [INFO] | | \- io.opentracing.contrib:opentracing-spring-rabbitmq:jar:2.0.5:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-jdbc-starter:jar:0.3.12:compile [INFO] | | \- io.opentracing.contrib:opentracing-jdbc:jar:0.1.1:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-jms-starter:jar:0.3.12:compile [INFO] | | +- io.opentracing.contrib:opentracing-jms-spring:jar:0.1.0:compile [INFO] | | +- io.opentracing.contrib:opentracing-jms-1:jar:0.1.0:compile [INFO] | | \- io.opentracing.contrib:opentracing-jms-common:jar:0.1.0:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-feign-starter:jar:0.3.12:compile [INFO] | | +- io.github.openfeign.opentracing:feign-opentracing:jar:0.3.0:compile [INFO] | | \- io.github.openfeign.opentracing:feign-hystrix-opentracing:jar:0.3.0:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-hystrix-starter:jar:0.3.12:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-reactor-starter:jar:0.3.12:compile [INFO] | | \- io.opentracing.contrib:opentracing-reactor:jar:0.1.0:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-rxjava-starter:jar:0.3.12:compile [INFO] | | \- io.opentracing.contrib:opentracing-rxjava-1:jar:0.1.0:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-redis-starter:jar:0.3.12:compile [INFO] | | +- io.opentracing.contrib:opentracing-redis-spring-data2:jar:0.1.2:compile [INFO] | | \- io.opentracing.contrib:opentracing-redis-common:jar:0.1.2:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-mongo-starter:jar:0.3.12:compile [INFO] | | +- io.opentracing.contrib:opentracing-mongo-driver:jar:0.1.2:compile [INFO] | | \- io.opentracing.contrib:opentracing-mongo-common:jar:0.1.2:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-websocket-starter:jar:0.3.12:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-zuul-starter:jar:0.3.12:compile [INFO] | +- io.opentracing.contrib:opentracing-spring-cloud-gateway-starter:jar:0.3.12:compile [INFO] | \- io.opentracing:opentracing-api:jar:0.32.0:compile [INFO] +- io.opentracing.contrib:opentracing-grpc:jar:0.2.3:compile [INFO] | \- io.opentracing:opentracing-util:jar:0.33.0:compile [INFO] | \- io.opentracing:opentracing-noop:jar:0.33.0:compile [INFO] +- com.futurewei.alcor:schema:jar:0.1.0-SNAPSHOT:compile [INFO] | \- javax.annotation:javax.annotation-api:jar:1.3.2:compile [INFO] +- com.jcraft:jsch:jar:0.1.54:compile [INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.11:compile [INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile [INFO] | +- commons-logging:commons-logging:jar:1.2:compile [INFO] | \- commons-codec:commons-codec:jar:1.11:compile [INFO] \- com.github.seancfoley:ipaddress:jar:5.3.3:compile
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In services/pseudo_controller/,there is a dependency org.apache.httpcomponents:httpclient:4.5.11 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.