search

sebfz1 / wicket-jquery-ui

jQuery UI & Kendo UI integration in Wicket
http://www.7thweb.net/wicket-jquery-ui/
Other
93 stars 58 forks source link

Dependency org.apache.wicket:wicket-core, leading to CVE problem #339

Closed CVEDetect closed 2 years ago

CVEDetect commented 3 years ago

Hi, In wicket-jquery-ui-wicket-jquery-ui-8.0.0/wicket-jquery-ui-calendar,there is a dependency org.apache.wicket:wicket-core:8.0.0-M9 that calls the risk method.

CVE-2021-23937

The scope of this CVE affected version is [9.0.0,9.3.0),[8.0.0,8.12.0),[6.2.0,7.18.0)

After further analysis, in this project, the main Api called is <org.apache.wicket.protocol.http.request.WebClientInfo: java.lang.String getRemoteAddr(org.apache.wicket.request.cycle.RequestCycle)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 9

<org.apache.wicket.protocol.http.request.WebClientInfo: java.lang.String getRemoteAddr(org.apache.wicket.request.cycle.RequestCycle)>
at <org.apache.wicket.protocol.http.request.WebClientInfo: void <init>(org.apache.wicket.request.cycle.RequestCycle,java.lang.String,org.apache.wicket.protocol.http.ClientProperties)> (org.apache.wicket.protocol.http.request.WebClientInfo.java:[110]) in /.m2/repository/org/apache/wicket/wicket-core/8.0.0-M9/wicket-core-8.0.0-M9.jar
at <org.apache.wicket.protocol.http.request.WebClientInfo: void <init>(org.apache.wicket.request.cycle.RequestCycle,org.apache.wicket.protocol.http.ClientProperties)> (org.apache.wicket.protocol.http.request.WebClientInfo.java:[76]) in /.m2/repository/org/apache/wicket/wicket-core/8.0.0-M9/wicket-core-8.0.0-M9.jar
at <org.apache.wicket.protocol.http.request.WebClientInfo: void <init>(org.apache.wicket.request.cycle.RequestCycle)> (org.apache.wicket.protocol.http.request.WebClientInfo.java:[65]) in /.m2/repository/org/apache/wicket/wicket-core/8.0.0-M9/wicket-core-8.0.0-M9.jar
at <org.apache.wicket.resource.DynamicJQueryResourceReference: java.lang.String getName()> (org.apache.wicket.resource.DynamicJQueryResourceReference.java:[71]) in /.m2/repository/org/apache/wicket/wicket-core/8.0.0-M9/wicket-core-8.0.0-M9.jar
at <org.apache.wicket.core.request.mapper.BasicResourceReferenceMapper: org.apache.wicket.request.Url mapHandler(org.apache.wicket.request.IRequestHandler)> (org.apache.wicket.core.request.mapper.BasicResourceReferenceMapper.java:[213]) in /.m2/repository/org/apache/wicket/wicket-core/8.0.0-M9/wicket-core-8.0.0-M9.jar
at <org.apache.wicket.request.cycle.RequestCycle: org.apache.wicket.request.Url mapUrlFor(org.apache.wicket.request.IRequestHandler)> (org.apache.wicket.request.cycle.RequestCycle.java:[449]) in /.m2/repository/org/apache/wicket/wicket-core/8.0.0-M9/wicket-core-8.0.0-M9.jar
at <org.apache.wicket.request.cycle.RequestCycle: java.lang.CharSequence urlFor(org.apache.wicket.request.IRequestHandler)> (org.apache.wicket.request.cycle.RequestCycle.java:[549]) in /.m2/repository/org/apache/wicket/wicket-core/8.0.0-M9/wicket-core-8.0.0-M9.jar
at <com.googlecode.wicket.jquery.ui.calendar.CalendarBehavior: void renderHead(org.apache.wicket.Component,org.apache.wicket.markup.head.IHeaderResponse)> (com.googlecode.wicket.jquery.ui.calendar.CalendarBehavior.java:[190]) in /detect/unzip/wicket-jquery-ui-wicket-jquery-ui-8.0.0-M9/wicket-jquery-ui-calendar/target/classes

Dependency tree--

[INFO] com.googlecode.wicket-jquery-ui:wicket-jquery-ui-calendar:bundle:8.0.0-M9
[INFO] +- com.googlecode.wicket-jquery-ui:wicket-jquery-ui-core:jar:8.0.0-M9:compile
[INFO] +- org.apache.wicket:wicket-core:jar:8.0.0-M9:provided
[INFO] |  +- org.apache.wicket:wicket-request:jar:8.0.0-M9:provided
[INFO] |  +- org.apache.wicket:wicket-util:jar:8.0.0-M9:provided
[INFO] |  |  +- commons-fileupload:commons-fileupload:jar:1.3.3:provided
[INFO] |  |  +- commons-io:commons-io:jar:2.5:provided
[INFO] |  |  \- org.apache.commons:commons-collections4:jar:4.1:provided
[INFO] |  +- org.danekja:jdk-serializable-functional:jar:1.8.3:provided
[INFO] |  +- com.github.openjson:openjson:jar:1.0.8:provided
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.25:provided
[INFO] +- org.apache.wicket:wicket-extensions:jar:8.0.0-M9:provided

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@sebfz1 Could please help me check this issue? May I pull a request to fix it? Thanks again.

martin-g commented 3 years ago

wicket-jquery-ui-wicket-jquery-ui-8.0.0

What is wicket-jquery-ui-wicket-jquery-ui-8.0.0 ? It seems like a very old version (8.0.0). There is no point in fixing something in an old version when it is fixed in a newer one