Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

Hi, In openapi-demo-java，there is a dependency org.apache.httpcomponents:httpclient:4.3 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /home/wc/.m2/repository/org/apache/httpcomponents/httpclient/4.3/httpclient-4.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /home/wc/.m2/repository/org/apache/httpcomponents/httpclient/4.3/httpclient-4.3.jar
at <com.alibaba.dingtalk.openapi.demo.utils.HttpHelper: com.alibaba.fastjson.JSONObject httpPost(java.lang.String,java.lang.Object)> (com.alibaba.dingtalk.openapi.demo.utils.HttpHelper.java:[94]) in /home/wc/detect/unzip/openapi-demo-java-master/target/classes

Dependency tree--

[INFO] com.dingtalk.open:dingtalk-app-demo:war:1.0-SNAPSHOT
[INFO] +- com.laiwang.lippi:lippi.oapi.encryt:jar:1.0.3-SNAPSHOT:system
[INFO] +- com.dingtalk.open:client-sdk.api:jar:1.0.2:system
[INFO] +- com.dingtalk.open:client-sdk.common:jar:1.0.0-SNAPSHOT:system
[INFO] +- com.dingtalk.open:client-sdk.core:jar:1.0.0-SNAPSHOT:system
[INFO] +- com.dingtalk.open:client-sdk.spring:jar:1.0.0-SNAPSHOT:system
[INFO] +- com.dingtalk.open:taobao-sdk-java:jar:1.0.0-SNAPSHOT:system
[INFO] +- commons-io:commons-io:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.3:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.6:compile
[INFO] +- org.apache.httpcomponents:httpmime:jar:4.3:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.3:compile
[INFO] +- org.springframework:spring-core:jar:3.2.8.RELEASE:compile
[INFO] +- org.springframework:spring-web:jar:3.2.8.RELEASE:compile
[INFO] |  \- org.springframework:spring-beans:jar:3.2.8.RELEASE:compile
[INFO] +- org.springframework:spring-orm:jar:3.2.8.RELEASE:compile
[INFO] +- org.springframework:spring-context:jar:3.2.8.RELEASE:compile
[INFO] +- org.springframework:spring-aop:jar:3.2.8.RELEASE:compile
[INFO] |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.springframework:spring-expression:jar:3.2.8.RELEASE:compile
[INFO] +- org.springframework:spring-tx:jar:3.2.8.RELEASE:compile
[INFO] +- org.springframework:spring-webmvc:jar:3.2.8.RELEASE:compile
[INFO] +- org.springframework:spring-context-support:jar:3.2.8.RELEASE:compile
[INFO] +- org.springframework:spring-jdbc:jar:3.2.8.RELEASE:compile
[INFO] +- javax.servlet:servlet-api:jar:2.5:compile
[INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.1:compile
[INFO] +- com.ning:async-http-client:jar:1.9.32:compile
[INFO] |  \- io.netty:netty:jar:3.10.5.Final:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.37:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.0.1:compile
[INFO] +- org.mybatis:mybatis:jar:3.3.0:compile
[INFO] +- org.mybatis:mybatis-spring:jar:1.2.3:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.6:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.6:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile
[INFO] \- junit:junit:jar:4.11:compile
[INFO]    \- org.hamcrest:hamcrest-core:jar:1.3:compile

Suggested solutions:

Update dependency version to 4.5.13 or higher

Thank you very much.

open-dingtalk / openapi-demo-java

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #17