<org.apache.catalina.session.FileStore: java.io.File file(java.lang.String)>
at <org.apache.catalina.session.FileStore: org.apache.catalina.Session load(java.lang.String)> (org.apache.catalina.session.FileStore.java:[211]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <org.apache.catalina.session.PersistentManagerBase: org.apache.catalina.Session swapIn(java.lang.String)> (org.apache.catalina.session.PersistentManagerBase.java:[727]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <org.apache.catalina.session.PersistentManagerBase: org.apache.catalina.Session findSession(java.lang.String)> (org.apache.catalina.session.PersistentManagerBase.java:[488]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <org.apache.catalina.core.ApplicationHttpRequest: javax.servlet.http.HttpSession getSession(boolean)> (org.apache.catalina.core.ApplicationHttpRequest.java:[571]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <org.apache.catalina.core.ApplicationHttpRequest: javax.servlet.http.HttpSession getSession()> (org.apache.catalina.core.ApplicationHttpRequest.java:[537]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.14/tomcat-embed-core-8.5.14.jar
at <com.mycat.monoeshop.controller.CartController: java.util.List getProductsByUsername(javax.servlet.http.HttpServletRequest)> (com.mycat.monoeshop.controller.CartController.java:[37]) in /detect/unzip/Kubernetes_eShop-master/eshop-web/target/classes
Hi, In Kubernetes_eShop/eshop-web,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.14 that calls the risk method.
CVE-2020-9484
The scope of this CVE affected version is [10.0.0-M1, 10.0.0-M5),[9.0.0M1, 9.0.35),[8.5.0, 8.5.55),[7.0.0, 7.0.104)
After further analysis, in this project, the main Api called is <org.apache.catalina.session.FileStore: java.io.File file(java.lang.String)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.