search

nutzam / nutzboot

NutzBoot,简称NB,是可靠的企业级微服务框架,提供自动配置,嵌入式web服务,分布式会话,服务治理,负载均衡,hystrix,RPC等一篮子解决方案
https://nutz.io
Apache License 2.0
497 stars 138 forks source link

Dependency org.apache.shiro:shiro-webl, leading to CVE problem #299

Open CVEDetect opened 1 year ago

CVEDetect commented 1 year ago

Hi, In /nutzboot-demo/nutzboot-demo-simple/nutzboot-demo-simple-thymeleaf-shiro,there is a dependency org.apache.shiro:shiro-web:1.3.2 that calls the risk method.

CVE-2020-13933

The scope of this CVE affected version is [,1.6.0)

After further analysis, in this project, the main Api called is org.apache.shiro.web.mgt.CookieRememberMeManager: getRememberedSerializedIdentity(org.apache.shiro.subject.SubjectContext)[B

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

CVE Bug Invocation Path : 
io.nutz.demo.simple.module.UserModule: login(java.lang.String,java.lang.String,javax.servlet.http.HttpSession)Z 
org.apache.shiro.SecurityUtils: getSubject()Lorg.apache.shiro.subject.Subject; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.subject.Subject$Builder: buildSubject()Lorg.apache.shiro.subject.Subject; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.mgt.DefaultSecurityManager: createSubject(org.apache.shiro.subject.SubjectContext)Lorg.apache.shiro.subject.Subject; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.mgt.DefaultSecurityManager: resolvePrincipals(org.apache.shiro.subject.SubjectContext)Lorg.apache.shiro.subject.SubjectContext; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.mgt.DefaultSecurityManager: getRememberedIdentity(org.apache.shiro.subject.SubjectContext)Lorg.apache.shiro.subject.PrincipalCollection; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.mgt.AbstractRememberMeManager: getRememberedPrincipals(org.apache.shiro.subject.SubjectContext)Lorg.apache.shiro.subject.PrincipalCollection; .m2/repository/org/eclipse/jetty/websocket/websocket-server/9.4.48.v20220622/websocket-server-9.4.48.v20220622.jar
org.apache.shiro.web.mgt.CookieRememberMeManager: getRememberedSerializedIdentity(org.apache.shiro.subject.SubjectContext)[B

Dependency tree--

[INFO] org.nutz:nutzboot-demo-simple-thymeleaf-shiro:jar:2.5.0-SNAPSHOT
[INFO] +- org.nutz:nutzboot-starter-thymeleaf:jar:2.5.0-SNAPSHOT:compile
[INFO] |  \- org.thymeleaf:thymeleaf:jar:3.0.11.RELEASE:compile
[INFO] |     +- ognl:ognl:jar:3.1.12:compile
[INFO] |     |  \- org.javassist:javassist:jar:3.24.0-GA:compile
[INFO] |     +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile
[INFO] |     \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile
[INFO] +- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:2.2.2:compile
[INFO] |  +- nz.net.ultraq.thymeleaf:thymeleaf-expression-processor:jar:1.1.3:compile
[INFO] |  \- org.codehaus.groovy:groovy:jar:2.4.6:compile
[INFO] +- org.nutz:nutzboot-starter-nutz-mvc:jar:2.5.0-SNAPSHOT:compile
[INFO] +- org.nutz:nutzboot-starter-nutz-dao:jar:2.5.0-SNAPSHOT:compile
[INFO] |  \- org.nutz:nutz-plugins-daocache:jar:1.r.69-SNAPSHOT:compile
[INFO] +- org.nutz:nutzboot-starter-jdbc:jar:2.5.0-SNAPSHOT:compile
[INFO] |  \- com.alibaba:druid:jar:1.2.11:compile
[INFO] +- org.nutz:nutzboot-starter-shiro:jar:2.5.0-SNAPSHOT:compile
[INFO] |  +- org.nutz:nutz-integration-shiro:jar:1.r.69-SNAPSHOT:compile
[INFO] |  |  \- org.slf4j:jcl-over-slf4j:jar:1.7.30:compile
[INFO] |  +- org.apache.shiro:shiro-web:jar:1.3.2:compile
[INFO] |  |  \- org.apache.shiro:shiro-core:jar:1.3.2:compile
[INFO] |  |     \- commons-beanutils:commons-beanutils:jar:1.8.3:compile
[INFO] |  +- org.apache.shiro:shiro-ehcache:jar:1.3.2:compile
[INFO] |  +- net.sf.ehcache:ehcache:jar:2.10.4:compile
[INFO] |  \- org.nutz:nutz-plugins-cache:jar:1.r.69-SNAPSHOT:compile
[INFO] |     \- org.nutz:nutz-integration-jedis:jar:1.r.69-SNAPSHOT:compile
[INFO] +- org.nutz:nutzboot-starter-jetty:jar:2.5.0-SNAPSHOT:compile
[INFO] |  +- org.eclipse.jetty:jetty-servlets:jar:9.4.48.v20220622:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-continuation:jar:9.4.48.v20220622:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-http:jar:9.4.48.v20220622:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-util:jar:9.4.48.v20220622:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-io:jar:9.4.48.v20220622:compile
[INFO] |  +- org.eclipse.jetty:jetty-webapp:jar:9.4.48.v20220622:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-xml:jar:9.4.48.v20220622:compile
[INFO] |  |  \- org.eclipse.jetty:jetty-servlet:jar:9.4.48.v20220622:compile
[INFO] |  |     +- org.eclipse.jetty:jetty-security:jar:9.4.48.v20220622:compile
[INFO] |  |     |  \- org.eclipse.jetty:jetty-server:jar:9.4.48.v20220622:compile
[INFO] |  |     \- org.eclipse.jetty:jetty-util-ajax:jar:9.4.48.v20220622:compile
[INFO] |  +- org.eclipse.jetty.websocket:websocket-server:jar:9.4.48.v20220622:compile
[INFO] |  |  +- org.eclipse.jetty.websocket:websocket-common:jar:9.4.48.v20220622:compile
[INFO] |  |  |  \- org.eclipse.jetty.websocket:websocket-api:jar:9.4.48.v20220622:compile
[INFO] |  |  +- org.eclipse.jetty.websocket:websocket-client:jar:9.4.48.v20220622:compile
[INFO] |  |  |  \- org.eclipse.jetty:jetty-client:jar:9.4.48.v20220622:compile
[INFO] |  |  \- org.eclipse.jetty.websocket:websocket-servlet:jar:9.4.48.v20220622:compile
[INFO] |  +- org.eclipse.jetty.websocket:javax-websocket-server-impl:jar:9.4.48.v20220622:compile
[INFO] |  |  +- org.eclipse.jetty:jetty-annotations:jar:9.4.48.v20220622:compile
[INFO] |  |  |  +- org.eclipse.jetty:jetty-plus:jar:9.4.48.v20220622:compile
[INFO] |  |  |  \- org.ow2.asm:asm-commons:jar:8.0.1:compile
[INFO] |  |  |     +- org.ow2.asm:asm-tree:jar:8.0.1:compile
[INFO] |  |  |     \- org.ow2.asm:asm-analysis:jar:8.0.1:compile
[INFO] |  |  +- org.eclipse.jetty.websocket:javax-websocket-client-impl:jar:9.4.48.v20220622:compile
[INFO] |  |  |  \- javax.websocket:javax.websocket-client-api:jar:1.0:compile
[INFO] |  |  \- javax.websocket:javax.websocket-api:jar:1.0:compile
[INFO] |  +- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] |  +- org.nutz:nutz-plugins-websocket:jar:1.r.69-SNAPSHOT:compile
[INFO] |  +- org.nutz:nutzboot-servlet3:jar:2.5.0-SNAPSHOT:compile
[INFO] |  |  \- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] |  \- org.ow2.asm:asm:jar:8.0.1:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.30:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile
[INFO] +- com.h2database:h2:jar:1.4.196:compile
[INFO] +- com.github.theborakompanioni:thymeleaf-extras-shiro:jar:2.0.0:compile
[INFO] \- org.nutz:nutzboot-core:jar:2.5.0-SNAPSHOT:compile
[INFO]    +- org.nutz:nutz:jar:1.r.69-SNAPSHOT:compile
[INFO]    +- org.yaml:snakeyaml:jar:1.28:compile
[INFO]    \- javax.servlet:javax.servlet-api:jar:3.1.0:compile

Suggested solutions:

Update dependency version

Thank you very much.