Closed CVEDetect closed 1 year ago
Hi, In /,there is a dependency com.alibaba:fastjson:1.2.54 that calls the risk method.
CVE-2022-25845
The scope of this CVE affected version is [[,1.2.83)]
After further analysis, in this project, the main Api called is com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 8
org.kungfu.util.KungfuKit: toHump(java.lang.String)Ljava.util.Map; /download/apache-maven-3.6.3/repository_mount/com/jfinal/jfinal/5.0.8/jfinal-5.0.8.jar com.alibaba.fastjson.JSON: parse(java.lang.String)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/github/xiaoymin/knife4j-openapi2-ui/4.0.0/knife4j-openapi2-ui-4.0.0.jar com.alibaba.fastjson.JSON: parse(java.lang.String,int)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/github/xiaoymin/knife4j-openapi2-ui/4.0.0/knife4j-openapi2-ui-4.0.0.jar com.alibaba.fastjson.JSON: parse(java.lang.String,com.alibaba.fastjson.parser.ParserConfig,int)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/github/xiaoymin/knife4j-openapi2-ui/4.0.0/knife4j-openapi2-ui-4.0.0.jar com.alibaba.fastjson.parser.DefaultJSONParser: parse()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/github/xiaoymin/knife4j-openapi2-ui/4.0.0/knife4j-openapi2-ui-4.0.0.jar com.alibaba.fastjson.parser.DefaultJSONParser: parse(java.lang.Object)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/github/xiaoymin/knife4j-openapi2-ui/4.0.0/knife4j-openapi2-ui-4.0.0.jar com.alibaba.fastjson.parser.DefaultJSONParser: parseObject(java.util.Map,java.lang.Object)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/github/xiaoymin/knife4j-openapi2-ui/4.0.0/knife4j-openapi2-ui-4.0.0.jar com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;
Dependency tree--
[INFO] io.github.ticktack:kungfu:jar:1.1.7 [INFO] +- com.jfinal:jfinal:jar:5.0.8:compile [INFO] +- com.jfinal:jfinal-undertow:jar:3.4:compile [INFO] | +- io.undertow:undertow-core:jar:2.2.22.Final:compile [INFO] | | +- org.jboss.logging:jboss-logging:jar:3.4.1.Final:compile [INFO] | | +- org.jboss.xnio:xnio-api:jar:3.8.7.Final:compile [INFO] | | | +- org.wildfly.common:wildfly-common:jar:1.5.4.Final:compile [INFO] | | | \- org.wildfly.client:wildfly-client-config:jar:1.0.1.Final:compile [INFO] | | +- org.jboss.xnio:xnio-nio:jar:3.8.7.Final:runtime [INFO] | | \- org.jboss.threads:jboss-threads:jar:3.1.0.Final:compile [INFO] | +- io.undertow:undertow-servlet:jar:2.2.22.Final:compile [INFO] | \- javax.servlet:javax.servlet-api:jar:4.0.1:compile [INFO] +- com.alibaba:fastjson:jar:1.2.54:compile [INFO] +- com.auth0:java-jwt:jar:3.8.2:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.3:runtime [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:runtime [INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:runtime [INFO] | \- commons-codec:commons-codec:jar:1.12:runtime [INFO] \- com.lastB7:jfinal-swagger-knife4j:jar:3.0.0:compile [INFO] +- com.github.xiaoymin:knife4j-openapi2-ui:jar:4.0.0:compile [INFO] \- io.swagger:swagger-annotations:jar:1.6.2:compile
Suggested solutions:
Update dependency version
Thank you very much.
upgrade yet
ticktack
commented
1 year ago
Hi, In /,there is a dependency com.alibaba:fastjson:1.2.54 that calls the risk method.
CVE-2022-25845
The scope of this CVE affected version is [[,1.2.83)]
After further analysis, in this project, the main Api called is com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 8
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.