search

qunarcorp / qconfig

Qconfig中心式配置中心,提供高可用的配置托管/动态热更新服务。 具备丰富的格式支持和简单易用的API
MIT License
280 stars 92 forks source link

Dependency org.apache.poi:poi-ooxml, leading to CVE problem #32

Open CVEDetect opened 2 years ago

CVEDetect commented 2 years ago

Hi, In qconfig/admin,there is a dependency org.apache.poi:poi-ooxml:3.9 that calls the risk method.

CVE-2019-12415

The scope of this CVE affected version is [5.3.0.RELEASE, 5.3.2.RELEASE),[5.2.0.RELEASE, 5.2.4.RELEASE),[5.1.0.RELEASE, 5.1.10.RELEASE),[5.0.0.RELEASE, 5.0.16.RELEASE),[4.2.0.RELEASE, 4.2.16.RELEASE)

After further analysis, in this project, the main Api called is

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 3

<org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>
at <qunar.tc.qconfig.admin.service.impl.TemplateExcelParseServiceImpl: java.lang.String readCellAsString(org.apache.poi.ss.usermodel.Cell)> (qunar.tc.qconfig.admin.service.impl.TemplateExcelParseServiceImpl.java:[71]) in /detect/unzip/qconfig-master/admin/target/classes
at <qunar.tc.qconfig.admin.service.impl.TemplateExcelParseServiceImpl: java.util.List parse(org.springframework.web.multipart.MultipartFile)> (qunar.tc.qconfig.admin.service.impl.TemplateExcelParseServiceImpl.java:[44]) in /detect/unzip/qconfig-master/admin/target/classes

Dependency tree--

[INFO] qunar.tc.qconfig:admin:war:0.5.0-SNAPSHOT
[INFO] +- qunar.tc.qconfig:server-common:jar:0.5.0-SNAPSHOT:compile
[INFO] |  +- qunar.tc.qconfig:qconfig-client:jar:0.5.0-SNAPSHOT:compile
[INFO] |  |  \- com.ning:async-http-client:jar:1.9.39:compile
[INFO] |  \- org.apache.httpcomponents:httpclient:jar:4.3.1:compile
[INFO] +- qunar.tc.qconfig:qconfig-common:jar:0.5.0-SNAPSHOT:compile
[INFO] |  +- com.google.guava:guava:jar:23.0:compile
[INFO] |  |  +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  |  +- com.google.errorprone:error_prone_annotations:jar:2.0.18:compile
[INFO] |  |  +- com.google.j2objc:j2objc-annotations:jar:1.1:compile
[INFO] |  |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.10:compile
[INFO] |  \- com.codahale.metrics:metrics-core:jar:3.0.2:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.3.1:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.5:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.5:runtime
[INFO] +- org.slf4j:log4j-over-slf4j:jar:1.7.5:runtime
[INFO] +- ch.qos.logback:logback-classic:jar:1.0.13:runtime
[INFO] +- ch.qos.logback:logback-core:jar:1.0.13:runtime
[INFO] +- commons-digester:commons-digester:jar:1.6:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.6:compile
[INFO] |  +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] |  \- xml-apis:xml-apis:jar:1.0.b2:compile
[INFO] +- org.springframework:spring-webmvc:jar:4.3.24.RELEASE:compile
[INFO] |  +- org.springframework:spring-beans:jar:4.3.24.RELEASE:compile
[INFO] |  +- org.springframework:spring-context:jar:4.3.24.RELEASE:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.24.RELEASE:compile
[INFO] |  +- org.springframework:spring-expression:jar:4.3.24.RELEASE:compile
[INFO] |  \- org.springframework:spring-web:jar:4.3.24.RELEASE:compile
[INFO] +- org.springframework:spring-jdbc:jar:4.3.24.RELEASE:compile
[INFO] |  \- org.springframework:spring-tx:jar:4.3.24.RELEASE:compile
[INFO] +- org.springframework:spring-context-support:jar:4.3.24.RELEASE:compile
[INFO] +- org.springframework:spring-aop:jar:4.3.24.RELEASE:compile
[INFO] +- org.apache.tomcat:tomcat-jdbc:jar:7.0.94:compile
[INFO] |  \- org.apache.tomcat:tomcat-juli:jar:7.0.94:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.21:runtime
[INFO] +- commons-fileupload:commons-fileupload:jar:1.3.3:compile
[INFO] +- commons-io:commons-io:jar:2.4:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.9:compile
[INFO] |  +- org.apache.poi:poi:jar:3.9:compile
[INFO] |  +- org.apache.poi:poi-ooxml-schemas:jar:3.9:compile
[INFO] |  |  \- org.apache.xmlbeans:xmlbeans:jar:2.3.0:compile
[INFO] |  |     \- stax:stax-api:jar:1.0.1:compile
[INFO] |  \- dom4j:dom4j:jar:1.6.1:compile
[INFO] +- joda-time:joda-time:jar:2.3:compile
[INFO] +- io.netty:netty:jar:3.9.5.Final:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- com.googlecode.java-diff-utils:diffutils:jar:1.3.0:compile
[INFO] +- com.sksamuel.diff:diff:jar:1.1.11:compile
[INFO] +- org.yaml:snakeyaml:jar:1.17:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile
[INFO] +- com.google.code.gson:gson:jar:2.6.2:compile
[INFO] +- org.aspectj:aspectjweaver:jar:1.8.12:compile
[INFO] +- org.springframework.security:spring-security-core:jar:4.2.13.RELEASE:compile
[INFO] |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.springframework.security:spring-security-web:jar:4.2.13.RELEASE:compile
[INFO] +- org.springframework.security.oauth:spring-security-oauth2:jar:2.3.6.RELEASE:compile
[INFO] |  \- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] |     \- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +- org.springframework.security:spring-security-config:jar:4.2.13.RELEASE:compile
[INFO] +- org.springframework.security:spring-security-taglibs:jar:4.2.13.RELEASE:compile
[INFO] |  \- org.springframework.security:spring-security-acl:jar:4.2.13.RELEASE:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 2 years ago

@DeepDownY Could please help me check this issue? May I pull a request to fix it? Thanks again.