Dependency org.apache.mina:mina-core, leading to CVE problem

CVEDetect commented 3 years ago

Hi, In milton2/milton-mail-server，there is a dependency org.apache.mina:mina-core:2.0.7 that calls the risk method.

CVE-2019-0231

The scope of this CVE affected version is [,2.0.21),[2.1.0,2.1.1)

After further analysis, in this project, the main Api called is <org.apache.mina.core.service.AbstractIoService: void dispose(boolean)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

<org.apache.mina.core.service.AbstractIoService: void dispose(boolean)>
at <org.apache.mina.core.service.AbstractIoService: void dispose()> (org.apache.mina.core.service.AbstractIoService.java:[273]) in /home/wc/.m2/repository/org/apache/mina/mina-core/2.0.7/mina-core-2.0.7.jar
at <org.apache.mina.core.service.SimpleIoProcessorPool: void dispose()> (org.apache.mina.core.service.SimpleIoProcessorPool.java:[305]) in /home/wc/.m2/repository/org/apache/mina/mina-core/2.0.7/mina-core-2.0.7.jar
at <org.apache.mina.core.service.SimpleIoProcessorPool: void <init>(java.lang.Class,java.util.concurrent.Executor,int)> (org.apache.mina.core.service.SimpleIoProcessorPool.java:[228]) in /home/wc/.m2/repository/org/apache/mina/mina-core/2.0.7/mina-core-2.0.7.jar
at <org.apache.mina.core.service.SimpleIoProcessorPool: void <init>(java.lang.Class)> (org.apache.mina.core.service.SimpleIoProcessorPool.java:[114]) in /home/wc/.m2/repository/org/apache/mina/mina-core/2.0.7/mina-core-2.0.7.jar
at <org.apache.mina.core.polling.AbstractPollingIoAcceptor: void <init>(org.apache.mina.core.session.IoSessionConfig,java.lang.Class)> (org.apache.mina.core.polling.AbstractPollingIoAcceptor.java:[112]) in /home/wc/.m2/repository/org/apache/mina/mina-core/2.0.7/mina-core-2.0.7.jar
at <org.apache.mina.transport.socket.nio.NioSocketAcceptor: void <init>()> (org.apache.mina.transport.socket.nio.NioSocketAcceptor.java:[60]) in /home/wc/.m2/repository/org/apache/mina/mina-core/2.0.7/mina-core-2.0.7.jar
at <io.milton.mail.pop.MinaPopServer: void start()> (io.milton.mail.pop.MinaPopServer.java:[52]) in /home/wc/detect/unzip/milton2-3.0.0.215/milton-mail-server/target/classes

Dependency tree--

[INFO] io.milton:milton-mail-server:jar:3.0.0.215
[INFO] +- io.milton:milton-mail-api:jar:3.0.0.215:compile
[INFO] |  +- com.sun.mail:javax.mail:jar:1.6.2:compile
[INFO] |  +- io.milton:milton-api:jar:3.0.0.215:compile
[INFO] |  |  +- org.jdom:jdom:jar:2.0.2:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO] |  +- javax.activation:activation:jar:1.1.1:compile
[INFO] |  \- commons-io:commons-io:jar:2.6:compile
[INFO] +- org.apache.mina:mina-core:jar:2.0.7:compile
[INFO] +- org.subethamail:subethasmtp-smtp:jar:1.2:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.1:compile
[INFO] |  |  +- logkit:logkit:jar:1.0.1:compile
[INFO] |  |  \- avalon-framework:avalon-framework:jar:4.1.3:compile
[INFO] |  \- javax.mail:mail:jar:1.4:compile
[INFO] +- io.milton:aspirin:jar:0.10.03.08:compile
[INFO] |  +- commons-pool:commons-pool:jar:1.5.5:compile
[INFO] |  \- dnsjava:dnsjava:jar:2.0.8:compile
[INFO] +- javax.servlet:servlet-api:jar:2.4:provided
[INFO] +- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO]    \- log4j:log4j:jar:1.2.17:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@ophiuhus Could please help me check this issue? May I pull a request to fix it? Thanks again.

ophiuhus commented 3 years ago

Updated dependencies

miltonio / milton2

Dependency org.apache.mina:mina-core, leading to CVE problem #157