Dependency org.eclipse.jetty:jetty-server, leading to CVE problem

Hi, In nutzboot/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-jetty-sessionstore，there is a dependency org.eclipse.jetty:jetty-server:9.4.28.v20200408 that calls the risk method.

CVE-2019-17638

The scope of this CVE affected version is [9.4.27.v20200227,9.4.30.v20200611)

After further analysis, in this project, the main Api called is <org.eclipse.jetty.server.HttpConnection: void onCompleted()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 9

<org.eclipse.jetty.server.HttpConnection: void onCompleted()>
at <org.eclipse.jetty.server.HttpChannel: void onCompleted()> (org.eclipse.jetty.server.HttpChannel.java:[734]) in /.m2/repository/org/eclipse/jetty/jetty-server/9.4.28.v20200408/jetty-server-9.4.28.v20200408.jar
at <org.eclipse.jetty.server.HttpChannel: boolean handle()> (org.eclipse.jetty.server.HttpChannel.java:[363]) in /.m2/repository/org/eclipse/jetty/jetty-server/9.4.28.v20200408/jetty-server-9.4.28.v20200408.jar
at <org.eclipse.jetty.server.HttpConnection: void onFillable()> (org.eclipse.jetty.server.HttpConnection.java:[273]) in /.m2/repository/org/eclipse/jetty/jetty-server/9.4.28.v20200408/jetty-server-9.4.28.v20200408.jar
at <org.eclipse.jetty.server.HttpConnection: void run()> (org.eclipse.jetty.server.HttpConnection.java:[525]) in /.m2/repository/org/eclipse/jetty/jetty-server/9.4.28.v20200408/jetty-server-9.4.28.v20200408.jar
at <org.eclipse.jetty.server.session.SessionContext: void run(java.lang.Runnable)> (org.eclipse.jetty.server.session.SessionContext.java:[94]) in /.m2/repository/org/eclipse/jetty/jetty-server/9.4.28.v20200408/jetty-server-9.4.28.v20200408.jar
at <org.eclipse.jetty.server.session.SessionHandler: void callSessionDestroyedListeners(org.eclipse.jetty.server.session.Session)> (org.eclipse.jetty.server.session.SessionHandler.java:[315]) in /.m2/repository/org/eclipse/jetty/jetty-server/9.4.28.v20200408/jetty-server-9.4.28.v20200408.jar
at <org.eclipse.jetty.server.session.Session: void invalidate()> (org.eclipse.jetty.server.session.Session.java:[948]) in /.m2/repository/org/eclipse/jetty/jetty-server/9.4.28.v20200408/jetty-server-9.4.28.v20200408.jar
at <io.nutz.demo.simple.MainLauncher: void sessionInvalidate(javax.servlet.http.HttpSession)> (io.nutz.demo.simple.MainLauncher.java:[36]) in /detect/unzip/nutzboot-2.4.0.v20200427/nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-jetty-sessionstore/target/classes

Dependency tree--

[INFO] org.nutz:nutzboot-demo-simple-jetty-sessionstore:jar:2.4.1-SNAPSHOT
[INFO] +- org.nutz:nutzboot-starter-nutz-mvc:jar:2.4.1-SNAPSHOT:compile
[INFO] +- org.nutz:nutzboot-starter-jetty:jar:2.4.1-SNAPSHOT:compile
[INFO] |  +- org.eclipse.jetty:jetty-servlets:jar:9.4.28.v20200408:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-continuation:jar:9.4.28.v20200408:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-http:jar:9.4.28.v20200408:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-util:jar:9.4.28.v20200408:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-io:jar:9.4.28.v20200408:compile
[INFO] |  +- org.eclipse.jetty:jetty-webapp:jar:9.4.28.v20200408:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-xml:jar:9.4.28.v20200408:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-servlet:jar:9.4.28.v20200408:compile
[INFO] |  |     \- org.eclipse.jetty:jetty-security:jar:9.4.28.v20200408:compile
[INFO] |  |        \- org.eclipse.jetty:jetty-server:jar:9.4.28.v20200408:compile
[INFO] |  +- org.eclipse.jetty.websocket:websocket-server:jar:9.4.28.v20200408:compile
[INFO] |  |  +- org.eclipse.jetty.websocket:websocket-common:jar:9.4.28.v20200408:compile
[INFO] |  |  |  \- org.eclipse.jetty.websocket:websocket-api:jar:9.4.28.v20200408:compile
[INFO] |  |  +- org.eclipse.jetty.websocket:websocket-client:jar:9.4.28.v20200408:compile
[INFO] |  |  |  \- org.eclipse.jetty:jetty-client:jar:9.4.28.v20200408:compile
[INFO] |  |  \- org.eclipse.jetty.websocket:websocket-servlet:jar:9.4.28.v20200408:compile
[INFO] |  +- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.28.v20200408:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-annotations:jar:9.4.28.v20200408:compile
[INFO] |  |  |  +- org.eclipse.jetty:jetty-plus:jar:9.4.28.v20200408:compile
[INFO] |  |  |  \- org.ow2.asm:asm-commons:jar:8.0.1:compile
[INFO] |  |  |     +- org.ow2.asm:asm-tree:jar:8.0.1:compile
[INFO] |  |  |     \- org.ow2.asm:asm-analysis:jar:8.0.1:compile
[INFO] |  |  +- org.eclipse.jetty.websocket:javax-websocket-client-impl:jar:9.4.28.v20200408:compile
[INFO] |  |  |  \- javax.websocket:javax.websocket-client-api:jar:1.0:compile
[INFO] |  |  \- javax.websocket:javax.websocket-api:jar:1.0:compile
[INFO] |  +- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] |  +- org.nutz:nutz-plugins-websocket:jar:1.r.68.v20200309:compile
[INFO] |  +- org.nutz:nutzboot-servlet3:jar:2.4.1-SNAPSHOT:compile
[INFO] |  |  \- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] |  \- org.ow2.asm:asm:jar:8.0.1:compile
[INFO] +- org.nutz:nutzboot-starter-jdbc:jar:2.4.1-SNAPSHOT:compile
[INFO] |  \- com.alibaba:druid:jar:1.1.21:compile
[INFO] +- org.nutz:nutzboot-starter-nutz-dao:jar:2.4.1-SNAPSHOT:compile
[INFO] |  \- org.nutz:nutz-plugins-daocache:jar:1.r.68.v20200309:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.30:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.47:compile
[INFO] \- org.nutz:nutzboot-core:jar:2.4.1-SNAPSHOT:compile
[INFO]    +- org.nutz:nutz:jar:1.r.68.v20200309:compile
[INFO]    \- javax.servlet:javax.servlet-api:jar:3.1.0:compile

Suggested solutions:

Update dependency version

Thank you very much.

nutzam / nutzboot

Dependency org.eclipse.jetty:jetty-server, leading to CVE problem #236