The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /home/wc/.m2/repository/org/apache/httpcomponents/httpclient/4.3/httpclient-4.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /home/wc/.m2/repository/org/apache/httpcomponents/httpclient/4.3/httpclient-4.3.jar
at <com.alibaba.dingtalk.openapi.demo.utils.HttpHelper: com.alibaba.fastjson.JSONObject httpPost(java.lang.String,java.lang.Object)> (com.alibaba.dingtalk.openapi.demo.utils.HttpHelper.java:[94]) in /home/wc/detect/unzip/openapi-demo-java-master/target/classes
Hi, In openapi-demo-java,there is a dependency org.apache.httpcomponents:httpclient:4.3 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 4
Dependency tree--
Suggested solutions:
Update dependency version to 4.5.13 or higher
Thank you very much.