<org.apache.coyote.http2.Http2UpgradeHandler: void close()>
at <org.apache.coyote.http2.Http2UpgradeHandler: void handleAppInitiatedIOException(java.io.IOException)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[693]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.http2.Http2UpgradeHandler: void writeHeaders(org.apache.coyote.http2.Stream,org.apache.coyote.Response,int)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[564]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.http2.Stream: void writeAck()> (org.apache.coyote.http2.Stream.java:[352]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.http2.StreamProcessor: void ack()> (org.apache.coyote.http2.StreamProcessor.java:[114]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.AbstractProcessor: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.AbstractProcessor.java:[273]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.coyote.Request: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.Request.java:[391, 393]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <org.apache.catalina.connector.Request: java.lang.Object getAttribute(java.lang.String)> (org.apache.catalina.connector.Request.java:[900]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.11/tomcat-embed-core-8.5.11.jar
at <works.weave.socks.orders.middleware.HTTPMonitoringInterceptor: void postHandle(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,java.lang.Object,org.springframework.web.servlet.ModelAndView)> (works.weave.socks.orders.middleware.HTTPMonitoringInterceptor.java:[53]) in /detect/unzip/orders-0.4.7/target/classes
Hi, In orders,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.11 that calls the risk method.
CVE-2019-10072
The scope of this CVE affected version is [8.5.0, 8.5.40),[9.0.0.M1, 9.0.20)
After further analysis, in this project, the main Api called is <org.apache.coyote.http2.Http2UpgradeHandler: void close()>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 9
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.