An open-source IoT platform that enables rapid development, management and scaling of IoT projects. With this IoT platform, you are able to: 1) Provision and control devices, 2) Collect and visualize data from devices, 3) Analyze device data and trigger alarms, 4) Deliver device data to other systems, 5) Enable use-case specific features using customizable rules and plugins.
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[93]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[83]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[108]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[56]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.iotp.analytics.ruleengine.action.plugins.webhook.plugin.WebhookMsgHandler: org.springframework.http.ResponseEntity put(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String)> (org.iotp.analytics.ruleengine.action.plugins.webhook.plugin.WebhookMsgHandler.java:[271]) in /detect/unzip/iotplatform-master/iot-action-plugins/plugin-webhook/target/classes
at <org.iotp.analytics.ruleengine.action.plugins.webhook.plugin.WebhookMsgHandler: void process(org.iotp.analytics.ruleengine.api.plugins.PluginContext,org.iotp.infomgt.data.id.TenantId,org.iotp.infomgt.data.id.RuleId,org.iotp.analytics.ruleengine.plugins.msg.RuleToPluginMsg)> (org.iotp.analytics.ruleengine.action.plugins.webhook.plugin.WebhookMsgHandler.java:[95]) in /detect/unzip/iotplatform-master/iot-action-plugins/plugin-webhook/target/classes
Hi, In iotplatform/iot-action-plugins/plugin-webhook,there is a dependency org.apache.httpcomponents:httpclient:4.5.3 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.