search

simplesteph / kafka-connect-github-source

Get a stream of issues and pull requests for your chosen GitHub repository
https://links.datacumulus.com/kafka-connect-coupon
MIT License
443 stars 190 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #17

Open CVEDetect opened 2 years ago

CVEDetect commented 2 years ago

Hi, In kafka-connect-github-source,there is a dependency org.apache.httpcomponents:httpclient:4.5.2 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpHost getHttpHost(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[137]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[123]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <com.mashape.unirest.http.HttpClientHelper: com.mashape.unirest.http.HttpResponse request(com.mashape.unirest.request.HttpRequest,java.lang.Class)> (com.mashape.unirest.http.HttpClientHelper.java:[138]) in /.m2/repository/com/mashape/unirest/unirest-java/1.4.9/unirest-java-1.4.9.jar
at <com.mashape.unirest.request.BaseRequest: com.mashape.unirest.http.HttpResponse asJson()> (com.mashape.unirest.request.BaseRequest.java:[68]) in /.m2/repository/com/mashape/unirest/unirest-java/1.4.9/unirest-java-1.4.9.jar
at <com.simplesteph.kafka.GitHubAPIHttpClient: com.mashape.unirest.http.HttpResponse getNextIssuesAPI(java.lang.Integer,java.time.Instant)> (com.simplesteph.kafka.GitHubAPIHttpClient.java:[84]) in /detect/unzip/kafka-connect-github-source-1.1/target/classes

Dependency tree--

[INFO] com.simplesteph.kafka:kafka-connect-github-source:jar:1.1
[INFO] +- org.apache.kafka:connect-api:jar:0.10.2.0-cp1:provided
[INFO] |  +- org.apache.kafka:kafka-clients:jar:0.10.2.0-cp1:provided
[INFO] |  |  +- net.jpountz.lz4:lz4:jar:1.3.0:provided
[INFO] |  |  \- org.xerial.snappy:snappy-java:jar:1.1.2.6:provided
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.25:compile
[INFO] |  \- log4j:log4j:jar:1.2.17:compile
[INFO] \- com.mashape.unirest:unirest-java:jar:1.4.9:compile
[INFO]    +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO]    |  +- org.apache.httpcomponents:httpcore:jar:4.4.4:compile
[INFO]    |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO]    |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO]    +- org.apache.httpcomponents:httpasyncclient:jar:4.1.1:compile
[INFO]    |  \- org.apache.httpcomponents:httpcore-nio:jar:4.4.4:compile
[INFO]    +- org.apache.httpcomponents:httpmime:jar:4.5.2:compile
[INFO]    \- org.json:json:jar:20160212:compile

Suggested solutions:

Update dependency version to 4.5.13 or higher

Thank you very much.

CVEDetect commented 2 years ago

@simplesteph Could please help me check this issue? May I pull a request to fix it? Thanks again.