search

locationtech / geowave

GeoWave provides geospatial and temporal indexing on top of Accumulo, HBase, BigTable, Cassandra, Kudu, Redis, RocksDB, and DynamoDB.
Apache License 2.0
502 stars 190 forks source link

Dependency org.apache.commons:commons-compress, leading to CVE problem #1859

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In geowave/extensions/cli/accumulo-embed,there is a dependency org.apache.commons:commons-compress:1.4.1 that calls the risk method.

CVE-2018-11771

The scope of this CVE affected version is [,1.18-RC1)

After further analysis, in this project, the main Api called is <org.apache.commons.compress.archivers.zip.ZipArchiveInputStream: int readStored(byte[],int,int)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

<org.apache.commons.compress.archivers.zip.ZipArchiveInputStream: int readStored(byte[],int,int)>
at <org.apache.commons.compress.archivers.zip.ZipArchiveInputStream: int read(byte[],int,int)> (org.apache.commons.compress.archivers.zip.ZipArchiveInputStream.java:[321]) in /.m2/repository/org/apache/commons/commons-compress/1.4.1/commons-compress-1.4.1.jar
at <org.apache.commons.compress.archivers.ArchiveInputStream: int read()> (org.apache.commons.compress.archivers.ArchiveInputStream.java:[81]) in /.m2/repository/org/apache/commons/commons-compress/1.4.1/commons-compress-1.4.1.jar
at <org.locationtech.geowave.datastore.accumulo.cli.AccumuloMiniCluster: void main(java.lang.String[])> (org.locationtech.geowave.datastore.accumulo.cli.AccumuloMiniCluster.java:[82]) in /detect/unzip/geowave-1.2.0/extensions/cli/accumulo-embed/target/classes

Dependency tree--

[INFO] org.fusesource.hawtjni:hawtjni-maven-plugin:maven-plugin:1.19-SNAPSHOT
[INFO] +- org.fusesource.hawtjni:hawtjni-generator:jar:1.19-SNAPSHOT:compile
[INFO] +- org.apache.maven:maven-plugin-api:jar:3.6.3:compile
[INFO] |  +- org.apache.maven:maven-model:jar:3.6.3:compile
[INFO] |  +- org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.3.4:compile
[INFO] |  |  +- javax.enterprise:cdi-api:jar:1.0:compile
[INFO] |  |  |  +- javax.annotation:jsr250-api:jar:1.0:compile
[INFO] |  |  |  \- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  +- org.eclipse.sisu:org.eclipse.sisu.inject:jar:0.3.4:compile
[INFO] |  |  \- org.codehaus.plexus:plexus-component-annotations:jar:1.5.5:compile
[INFO] |  \- org.codehaus.plexus:plexus-classworlds:jar:2.6.0:compile
[INFO] +- org.apache.maven:maven-project:jar:2.0.11:compile
[INFO] |  +- org.apache.maven:maven-settings:jar:2.0.11:compile
[INFO] |  +- org.apache.maven:maven-profile:jar:2.0.11:compile
[INFO] |  +- org.apache.maven:maven-plugin-registry:jar:2.0.11:compile
[INFO] |  \- org.codehaus.plexus:plexus-container-default:jar:1.0-alpha-9-stable-1:compile
[INFO] |     +- junit:junit:jar:3.8.1:compile
[INFO] |     \- classworlds:classworlds:jar:1.1-alpha-2:compile
[INFO] +- org.codehaus.plexus:plexus-utils:jar:3.3.0:compile
[INFO] +- org.codehaus.plexus:plexus-interpolation:jar:1.26:compile
[INFO] +- org.apache.maven:maven-artifact-manager:jar:2.0.11:compile
[INFO] |  +- org.apache.maven:maven-repository-metadata:jar:2.0.11:compile
[INFO] |  \- org.apache.maven.wagon:wagon-provider-api:jar:1.0-beta-2:compile
[INFO] +- org.apache.maven:maven-artifact:jar:2.0.11:compile
[INFO] +- org.apache.maven:maven-archiver:jar:2.4:compile
[INFO] +- org.codehaus.plexus:plexus-archiver:jar:4.2.2:compile
[INFO] |  +- org.apache.commons:commons-compress:jar:1.20:compile
[INFO] |  +- org.iq80.snappy:snappy:jar:0.4:compile
[INFO] |  \- org.tukaani:xz:jar:1.8:runtime
[INFO] +- org.codehaus.plexus:plexus-io:jar:3.2.0:compile
[INFO] |  \- commons-io:commons-io:jar:2.6:compile
[INFO] \- org.apache.maven.plugin-tools:maven-plugin-annotations:jar:3.6.0:provided

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@rfecher Could please help me check this issue? May I pull a request to fix it? Thanks again.