vipshop / Saturn

The vip.com's distributed job scheduling platform.
Apache License 2.0
2.28k stars 701 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #764

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In Saturn-3.5.1/saturn-core,there is a dependency org.apache.httpcomponents:httpclient:4.5.2 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <com.vip.saturn.job.utils.UpdateJobCronUtils: void updateJobCron(java.lang.String,java.lang.String,java.lang.String,java.util.Map)> (com.vip.saturn.job.utils.UpdateJobCronUtils.java:[76]) in /detect/unzip/Saturn-3.5.1/saturn-core/target/classes

Dependency tree--

[INFO] com.vip.saturn:saturn-core:jar:master-SNAPSHOT
[INFO] +- com.vip.saturn:saturn-job-api:jar:master-SNAPSHOT:compile
[INFO] +- com.vip.saturn:saturn-job-sharding:jar:master-SNAPSHOT:compile
[INFO] |  +- com.vip.saturn:saturn-integrate:jar:master-SNAPSHOT:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.7:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.16:compile
[INFO] |  \- com.google.code.gson:gson:jar:2.5:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.2:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] |  \- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] +- org.quartz-scheduler:quartz:jar:2.2.1:compile
[INFO] +- org.apache.curator:curator-framework:jar:2.10.0:compile
[INFO] +- org.apache.curator:curator-client:jar:2.10.0:compile
[INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.4.14:compile
[INFO] |  |  +- com.github.spotbugs:spotbugs-annotations:jar:3.1.9:compile
[INFO] |  |  |  \- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  |  +- jline:jline:jar:0.9.94:compile
[INFO] |  |  +- org.apache.yetus:audience-annotations:jar:0.5.0:compile
[INFO] |  |  \- io.netty:netty:jar:3.10.6.Final:compile
[INFO] |  \- com.google.guava:guava:jar:18.0:compile
[INFO] +- org.apache.curator:curator-recipes:jar:2.10.0:compile
[INFO] |  +- org.javassist:javassist:jar:3.18.1-GA:compile
[INFO] |  \- org.apache.commons:commons-math:jar:2.2:compile
[INFO] +- org.springframework:spring-core:jar:4.3.2.RELEASE:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.16:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.1.7:compile
[INFO] |  \- ch.qos.logback:logback-core:jar:1.1.7:compile
[INFO] +- org.codehaus.janino:janino:jar:2.6.1:compile
[INFO] |  \- org.codehaus.janino:commons-compiler:jar:2.6.1:compile
[INFO] +- org.apache.commons:commons-exec:jar:1.3:compile
[INFO] +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] +- commons-io:commons-io:jar:2.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.4:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@RolfHeG Could please help me check this issue? May I pull a request to fix it? Thanks again.