The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: java.lang.Object execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.client.ResponseHandler,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[163]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: java.lang.Object execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.client.ResponseHandler)> (org.apache.http.impl.client.CloseableHttpClient.java:[139]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <com.alipay.lookout.remote.report.support.http.DefaultHttpRequestProcessor: java.lang.Object sendRequest(org.apache.http.client.methods.HttpRequestBase,org.apache.http.client.ResponseHandler)> (com.alipay.lookout.remote.report.support.http.DefaultHttpRequestProcessor.java:[197]) in /detect/unzip/sofa-lookout-1.6.1/client/lookout-reg-server/target/classes
at <com.alipay.lookout.remote.report.support.http.DefaultHttpRequestProcessor: boolean sendPostRequest(org.apache.http.client.methods.HttpPost,java.util.Map)> (com.alipay.lookout.remote.report.support.http.DefaultHttpRequestProcessor.java:[148]) in /detect/unzip/sofa-lookout-1.6.1/client/lookout-reg-server/target/classes
Hi, In sofa-lookout-1.6.1/client/lookout-reg-server,there is a dependency org.apache.httpcomponents:httpclient:4.5.2 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 6
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.