Open CVEDetect opened 1 year ago
Hi, in easy-batch-tutorials/, there is a dependency org.apache.activemq:activemq-core:5.7.0 that calls the risk method.
CVE-2014-3576
The scope of this CVE affected version is [0,]
After further analysis, in this project, the main Api called is org.apache.activemq.broker.TransportConnection: processControlCommand(org.apache.activemq.command.ControlCommand)Lorg.apache.activemq.command.Response
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
org.jeasy.batch.tutorials.advanced.jms.JmsBrokerLauncher: main(java.lang.String[]) .m2/repository/org/apache/geronimo/specs/geronimo-j2ee-management_1.1_spec/1.0.1/geronimo-j2ee-management_1.1_spec-1.0.1.jar org.apache.activemq.broker.BrokerService: stop() .m2/repository/org/apache/geronimo/specs/geronimo-j2ee-management_1.1_spec/1.0.1/geronimo-j2ee-management_1.1_spec-1.0.1.jar org.apache.activemq.util.ServiceStopper: stop(org.apache.activemq.Service).m2/repository/org/apache/geronimo/specs/geronimo-j2ee-management_1.1_spec/1.0.1/geronimo-j2ee-management_1.1_spec-1.0.1.jar org.apache.activemq.transport.vm.VMTransport: stop().m2/repository/org/apache/geronimo/specs/geronimo-j2ee-management_1.1_spec/1.0.1/geronimo-j2ee-management_1.1_spec-1.0.1.jar org.apache.activemq.ActiveMQConnection: onCommand(java.lang.Object).m2/repository/org/apache/geronimo/specs/geronimo-j2ee-management_1.1_spec/1.0.1/geronimo-j2ee-management_1.1_spec-1.0.1.jar org.apache.activemq.command.ControlCommand: visit(org.apache.activemq.state.CommandVisitor)Lorg.apache.activemq.command.Response; .m2/repository/org/apache/geronimo/specs/geronimo-j2ee-management_1.1_spec/1.0.1/geronimo-j2ee-management_1.1_spec-1.0.1.jar org.apache.activemq.broker.TransportConnection: processControlCommand(org.apache.activemq.command.ControlCommand)Lorg.apache.activemq.command.Response;
Dependency tree--
[INFO] org.jeasy:easy-batch-tutorials:jar:7.0.3-SNAPSHOT [INFO] +- org.jeasy:easy-batch-core:jar:7.0.3-SNAPSHOT:compile [INFO] | \- org.slf4j:slf4j-api:jar:1.7.30:compile [INFO] +- org.jeasy:easy-batch-flatfile:jar:7.0.3-SNAPSHOT:compile [INFO] +- org.jeasy:easy-batch-xml:jar:7.0.3-SNAPSHOT:compile [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile [INFO] | | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile [INFO] | \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.3:compile [INFO] | +- org.glassfish.jaxb:txw2:jar:2.3.3:compile [INFO] | +- com.sun.istack:istack-commons-runtime:jar:3.0.11:compile [INFO] | \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime [INFO] +- org.jeasy:easy-batch-jdbc:jar:7.0.3-SNAPSHOT:compile [INFO] +- org.jeasy:easy-batch-hibernate:jar:7.0.3-SNAPSHOT:compile [INFO] | \- org.hibernate:hibernate-core:jar:5.4.29.Final:compile [INFO] | +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile [INFO] | +- javax.persistence:javax.persistence-api:jar:2.2:compile [INFO] | +- org.javassist:javassist:jar:3.27.0-GA:compile [INFO] | +- net.bytebuddy:byte-buddy:jar:1.10.21:compile [INFO] | +- antlr:antlr:jar:2.7.7:compile [INFO] | +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:jar:1.1.1.Final:compile [INFO] | +- org.jboss:jandex:jar:2.2.3.Final:compile [INFO] | +- com.fasterxml:classmate:jar:1.5.1:compile [INFO] | +- javax.activation:javax.activation-api:jar:1.2.0:compile [INFO] | +- org.dom4j:dom4j:jar:2.1.3:compile [INFO] | +- org.hibernate.common:hibernate-commons-annotations:jar:5.1.2.Final:compile [INFO] | \- javax.xml.bind:jaxb-api:jar:2.3.1:compile [INFO] +- org.jeasy:easy-batch-validation:jar:7.0.3-SNAPSHOT:compile [INFO] | +- org.hibernate.validator:hibernate-validator:jar:6.1.7.Final:compile [INFO] | | \- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile [INFO] | +- javax.el:javax.el-api:jar:3.0.0:compile [INFO] | \- org.glassfish:javax.el:jar:3.0.0:compile [INFO] +- org.jeasy:easy-batch-spring:jar:7.0.3-SNAPSHOT:compile [INFO] | \- org.springframework:spring-context:jar:5.3.4:compile [INFO] | +- org.springframework:spring-aop:jar:5.3.4:compile [INFO] | \- org.springframework:spring-expression:jar:5.3.4:compile [INFO] +- org.jeasy:easy-batch-jms:jar:7.0.3-SNAPSHOT:compile [INFO] +- org.jeasy:easy-batch-json:jar:7.0.3-SNAPSHOT:compile [INFO] | \- org.eclipse:yasson:jar:1.0.8:compile [INFO] | +- jakarta.json.bind:jakarta.json.bind-api:jar:1.0.2:compile [INFO] | +- jakarta.json:jakarta.json-api:jar:1.1.6:compile [INFO] | \- org.glassfish:jakarta.json:jar:module:1.1.6:compile [INFO] +- org.jeasy:easy-batch-xstream:jar:7.0.3-SNAPSHOT:compile [INFO] | \- com.thoughtworks.xstream:xstream:jar:1.4.16:compile [INFO] | \- io.github.x-stream:mxparser:jar:1.2.1:compile [INFO] | \- xmlpull:xmlpull:jar:1.1.3.1:compile [INFO] +- org.jeasy:easy-batch-integration:jar:7.0.3-SNAPSHOT:compile [INFO] +- org.hsqldb:hsqldb:jar:2.5.1:compile [INFO] +- org.glassfish:javax.json:jar:1.1.4:compile [INFO] +- com.google.code.gson:gson:jar:2.8.6:compile [INFO] +- org.apache.activemq:activemq-core:jar:5.7.0:compile [INFO] | +- org.apache.geronimo.specs:geronimo-jms_1.1_spec:jar:1.1.1:compile [INFO] | +- org.apache.activemq:kahadb:jar:5.7.0:compile [INFO] | +- org.apache.activemq.protobuf:activemq-protobuf:jar:1.1:compile [INFO] | +- org.fusesource.mqtt-client:mqtt-client:jar:1.3:compile [INFO] | | +- org.fusesource.hawtdispatch:hawtdispatch-transport:jar:1.11:compile [INFO] | | | \- org.fusesource.hawtdispatch:hawtdispatch:jar:1.11:compile [INFO] | | \- org.fusesource.hawtbuf:hawtbuf:jar:1.9:compile [INFO] | +- org.apache.geronimo.specs:geronimo-j2ee-management_1.1_spec:jar:1.0.1:compile [INFO] | +- commons-net:commons-net:jar:3.1:compile [INFO] | \- org.jasypt:jasypt:jar:1.9.0:compile [INFO] +- org.springframework:spring-jdbc:jar:5.3.4:compile [INFO] | +- org.springframework:spring-beans:jar:5.3.4:compile [INFO] | +- org.springframework:spring-core:jar:5.3.4:compile [INFO] | | \- org.springframework:spring-jcl:jar:5.3.4:compile [INFO] | \- org.springframework:spring-tx:jar:5.3.4:compile [INFO] +- org.slf4j:slf4j-simple:jar:1.7.30:compile [INFO] \- org.quartz-scheduler:quartz:jar:2.3.2:compile [INFO] +- com.mchange:c3p0:jar:0.9.5.4:compile [INFO] +- com.mchange:mchange-commons-java:jar:0.2.15:compile [INFO] \- com.zaxxer:HikariCP-java7:jar:2.4.13:compile
Thank you very much.
Hi, in easy-batch-tutorials/, there is a dependency org.apache.activemq:activemq-core:5.7.0 that calls the risk method.
CVE-2014-3576
The scope of this CVE affected version is [0,]
After further analysis, in this project, the main Api called is org.apache.activemq.broker.TransportConnection: processControlCommand(org.apache.activemq.command.ControlCommand)Lorg.apache.activemq.command.Response
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
Dependency tree--
Thank you very much.