search

leader-us / Kubernetes_eShop

基于Spring boot的微服务架构电商系统(学习使用)
64 stars 52 forks source link

Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem #14

Open CVEDetect opened 2 years ago

CVEDetect commented 2 years ago

Hi, In Kubernetes_eShop/eshop-web,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.14 that calls the risk method.

CVE-2020-9484

The scope of this CVE affected version is [10.0.0-M1, 10.0.0-M5),[9.0.0M1, 9.0.35),[8.5.0, 8.5.55),[7.0.0, 7.0.104)

After further analysis, in this project, the main Api called is <org.apache.catalina.session.FileStore: java.io.File file(java.lang.String)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

<org.apache.catalina.session.FileStore: java.io.File file(java.lang.String)>
at <org.apache.catalina.session.FileStore: org.apache.catalina.Session load(java.lang.String)> (org.apache.catalina.session.FileStore.java:[211]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <org.apache.catalina.session.PersistentManagerBase: org.apache.catalina.Session swapIn(java.lang.String)> (org.apache.catalina.session.PersistentManagerBase.java:[727]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <org.apache.catalina.session.PersistentManagerBase: org.apache.catalina.Session findSession(java.lang.String)> (org.apache.catalina.session.PersistentManagerBase.java:[488]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <org.apache.catalina.core.ApplicationHttpRequest: javax.servlet.http.HttpSession getSession(boolean)> (org.apache.catalina.core.ApplicationHttpRequest.java:[571]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <org.apache.catalina.core.ApplicationHttpRequest: javax.servlet.http.HttpSession getSession()> (org.apache.catalina.core.ApplicationHttpRequest.java:[537]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <com.mycat.monoeshop.controller.CartController: java.util.List getProductsByUsername(javax.servlet.http.HttpServletRequest)> (com.mycat.monoeshop.controller.CartController.java:[37]) in /detect/unzip/Kubernetes_eShop-master/eshop-web/target/classes

Dependency tree--

[INFO] Kubernetes_eShop:eshop_web:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-data-redis:jar:1.5.3.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:1.5.3.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.5.3.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.3.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-core:jar:4.3.8.RELEASE:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.17:runtime
[INFO] |  +- org.springframework.data:spring-data-redis:jar:1.8.3.RELEASE:compile
[INFO] |  |  +- org.springframework.data:spring-data-keyvalue:jar:1.2.3.RELEASE:compile
[INFO] |  |  |  \- org.springframework.data:spring-data-commons:jar:1.13.3.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-tx:jar:4.3.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-oxm:jar:4.3.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-aop:jar:4.3.8.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-context-support:jar:4.3.8.RELEASE:compile
[INFO] |  \- redis.clients:jedis:jar:2.9.0:compile
[INFO] |     \- org.apache.commons:commons-pool2:jar:2.4.2:compile
[INFO] +- org.springframework.session:spring-session:jar:1.3.0.RELEASE:compile
[INFO] +- io.github.openfeign:feign-core:jar:9.5.1:compile
[INFO] +- io.github.openfeign:feign-slf4j:jar:9.5.1:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- io.github.openfeign:feign-hystrix:jar:9.5.1:compile
[INFO] |  +- com.netflix.archaius:archaius-core:jar:0.6.6:compile
[INFO] |  |  +- com.google.code.findbugs:annotations:jar:2.0.0:runtime
[INFO] |  |  +- commons-configuration:commons-configuration:jar:1.8:runtime
[INFO] |  |  |  +- commons-lang:commons-lang:jar:2.6:runtime
[INFO] |  |  |  \- commons-logging:commons-logging:jar:1.1.1:runtime
[INFO] |  |  +- com.google.guava:guava:jar:11.0.2:runtime
[INFO] |  |  |  \- com.google.code.findbugs:jsr305:jar:1.3.9:runtime
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.8:compile
[INFO] |  \- com.netflix.hystrix:hystrix-core:jar:1.4.26:compile
[INFO] |     \- io.reactivex:rxjava:jar:1.1.1:compile
[INFO] +- io.github.openfeign:feign-jackson:jar:9.5.1:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.3.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.3.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.14:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.14:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.14:compile
[INFO] |  +- org.hibernate:hibernate-validator:jar:5.3.5.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.3.1.Final:compile
[INFO] |  |  \- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] |  +- org.springframework:spring-web:jar:4.3.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:4.3.8.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-context:jar:4.3.8.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:4.3.8.RELEASE:compile
[INFO] |     \- org.springframework:spring-expression:jar:4.3.8.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-log4j2:jar:1.5.3.RELEASE:compile
[INFO] |  +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.7:compile
[INFO] |  +- org.apache.logging.log4j:log4j-api:jar:2.7:compile
[INFO] |  +- org.apache.logging.log4j:log4j-core:jar:2.7:compile
[INFO] |  +- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
[INFO] |  \- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO] \- commons-io:commons-io:jar:2.4:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 2 years ago

@leader-us Could please help me check this issue? May I pull a request to fix it? Thanks again.

leader-us commented 2 years ago

@leader-us Could please help me check this issue? May I pull a request to fix it? Thanks again.

Thanks