search

sofastack / sofa-lookout

SOFALookout is a light-weight monitoring and analysis tool
Apache License 2.0
372 stars 119 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #96

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In sofa-lookout-1.6.1/client/lookout-reg-server,there is a dependency org.apache.httpcomponents:httpclient:4.5.2 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: java.lang.Object execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.client.ResponseHandler,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[163]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: java.lang.Object execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.client.ResponseHandler)> (org.apache.http.impl.client.CloseableHttpClient.java:[139]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <com.alipay.lookout.remote.report.support.http.DefaultHttpRequestProcessor: java.lang.Object sendRequest(org.apache.http.client.methods.HttpRequestBase,org.apache.http.client.ResponseHandler)> (com.alipay.lookout.remote.report.support.http.DefaultHttpRequestProcessor.java:[197]) in /detect/unzip/sofa-lookout-1.6.1/client/lookout-reg-server/target/classes
at <com.alipay.lookout.remote.report.support.http.DefaultHttpRequestProcessor: boolean sendPostRequest(org.apache.http.client.methods.HttpPost,java.util.Map)> (com.alipay.lookout.remote.report.support.http.DefaultHttpRequestProcessor.java:[148]) in /detect/unzip/sofa-lookout-1.6.1/client/lookout-reg-server/target/classes

Dependency tree--

[INFO] com.alipay.sofa.lookout:lookout-reg-server:jar:1.6.1
[INFO] +- com.alipay.sofa.lookout:lookout-core:jar:1.6.1:compile
[INFO] |  +- com.alipay.sofa.lookout:lookout-common:jar:1.6.1:compile
[INFO] |  |  +- com.alipay.sofa.lookout:lookout-api:jar:1.6.1:compile
[INFO] |  |  \- com.alipay.sofa.common:sofa-common-tools:jar:1.0.12:compile
[INFO] |  +- com.alibaba:fastjson:jar:1.2.49:compile
[INFO] |  \- org.apache.commons:commons-configuration2:jar:2.1.1:compile
[INFO] |     \- org.apache.commons:commons-lang3:jar:3.3.2:compile
[INFO] +- com.google.guava:guava:jar:18.0:compile
[INFO] +- org.xerial.snappy:snappy-java:jar:1.1.2.6:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.4:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.9:compile
[INFO] +- commons-lang:commons-lang:jar:2.3:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] +- junit:junit:jar:4.12:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.21:test
[INFO] |  \- log4j:log4j:jar:1.2.17:test
[INFO] +- org.mockito:mockito-all:jar:1.10.19:test
[INFO] \- org.assertj:assertj-core:jar:2.9.1:test

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@luyiisme Could please help me check this issue? May I pull a request to fix it? Thanks again.