search

osswangxining / iotplatform

An open-source IoT platform that enables rapid development, management and scaling of IoT projects. With this IoT platform, you are able to: 1) Provision and control devices, 2) Collect and visualize data from devices, 3) Analyze device data and trigger alarms, 4) Deliver device data to other systems, 5) Enable use-case specific features using customizable rules and plugins.
https://osswangxining.github.io/
Apache License 2.0
123 stars 64 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #34

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In iotplatform/iot-action-plugins/plugin-webhook,there is a dependency org.apache.httpcomponents:httpclient:4.5.3 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[93]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[83]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[108]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[56]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.iotp.analytics.ruleengine.action.plugins.webhook.plugin.WebhookMsgHandler: org.springframework.http.ResponseEntity put(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)> (org.iotp.analytics.ruleengine.action.plugins.webhook.plugin.WebhookMsgHandler.java:[271]) in /detect/unzip/iotplatform-master/iot-action-plugins/plugin-webhook/target/classes
at <org.iotp.analytics.ruleengine.action.plugins.webhook.plugin.WebhookMsgHandler: void process(org.iotp.analytics.ruleengine.api.plugins.PluginContext,org.iotp.infomgt.data.id.TenantId,org.iotp.infomgt.data.id.RuleId,org.iotp.analytics.ruleengine.plugins.msg.RuleToPluginMsg)> (org.iotp.analytics.ruleengine.action.plugins.webhook.plugin.WebhookMsgHandler.java:[95]) in /detect/unzip/iotplatform-master/iot-action-plugins/plugin-webhook/target/classes

Dependency tree--

[INFO] org.iotp.action.plugins:plugin-webhook:jar:1.0.0
[INFO] +- ch.qos.logback:logback-core:jar:1.2.3:provided
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.3:provided
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.7:provided
[INFO] +- org.springframework:spring-web:jar:4.3.4.RELEASE:provided
[INFO] |  +- org.springframework:spring-aop:jar:4.3.4.RELEASE:provided
[INFO] |  +- org.springframework:spring-beans:jar:4.3.4.RELEASE:provided
[INFO] |  +- org.springframework:spring-context:jar:4.3.4.RELEASE:provided
[INFO] |  |  \- org.springframework:spring-expression:jar:4.3.4.RELEASE:provided
[INFO] |  \- org.springframework:spring-core:jar:4.3.4.RELEASE:provided
[INFO] +- org.iotp.analytics.ruleengine:ruleengine-api:jar:1.0.0:provided
[INFO] |  +- org.iotp.infomgt:data:jar:1.0.0:provided
[INFO] |  |  +- org.slf4j:log4j-over-slf4j:jar:1.7.7:provided
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8.1:provided
[INFO] |  |     +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:provided
[INFO] |  |     \- com.fasterxml.jackson.core:jackson-core:jar:2.8.8:provided
[INFO] |  \- org.iotp.analytics.ruleengine:ruleengine-message:jar:1.0.0:provided
[INFO] +- org.iotp.analytics.ruleengine:ruleengine-core:jar:1.0.0:provided
[INFO] |  +- com.google.code.gson:gson:jar:2.6.2:provided
[INFO] |  \- javax.mail:mail:jar:1.4.3:provided
[INFO] |     \- javax.activation:activation:jar:1.1:provided
[INFO] +- org.apache.velocity:velocity:jar:1.7:provided
[INFO] |  +- commons-collections:commons-collections:jar:3.2.1:provided
[INFO] |  \- commons-lang:commons-lang:jar:2.4:provided
[INFO] +- org.apache.velocity:velocity-tools:jar:2.0:provided
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.7.0:provided
[INFO] |  +- commons-digester:commons-digester:jar:1.8:provided
[INFO] |  +- commons-chain:commons-chain:jar:1.1:provided
[INFO] |  +- commons-logging:commons-logging:jar:1.1:compile
[INFO] |  +- commons-validator:commons-validator:jar:1.5.0:provided
[INFO] |  +- oro:oro:jar:2.0.8:provided
[INFO] |  +- sslext:sslext:jar:1.2-0:provided
[INFO] |  +- org.apache.struts:struts-core:jar:1.3.8:provided
[INFO] |  +- org.apache.struts:struts-taglib:jar:1.3.8:provided
[INFO] |  \- org.apache.struts:struts-tiles:jar:1.3.8:provided
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] \- org.projectlombok:lombok:jar:1.16.10:provided

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@osswangxining Could please help me check this issue? May I pull a request to fix it? Thanks again.