Closed CVEDetect closed 11 months ago
Hi, In /jsurfer-fastjson,there is a dependency com.alibaba:fastjson:1.2.76 that calls the risk method.
CVE-2022-25845
The scope of this CVE affected version is [,1.2.83)
After further analysis, in this project, the main Api called is com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 6
CVE Bug Invocation Path : org.jsfr.json.provider.FastJsonProvider: cast(java.lang.Object,java.lang.Class)Ljava.lang.Object; /experiment/github_download_11_6_to_2_13/JsonSurfer/wanglingsong-JsonSurfer-6e7f58d/jsurfer-fastjson/target/classes com.alibaba.fastjson.JSON: toJavaObject(com.alibaba.fastjson.JSON,java.lang.Class)Ljava.lang.Object; /.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar com.alibaba.fastjson.util.TypeUtils: cast(java.lang.Object,java.lang.Class,com.alibaba.fastjson.parser.ParserConfig)Ljava.lang.Object; /.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar com.alibaba.fastjson.util.TypeUtils: castToJavaBean(java.util.Map,java.lang.Class,com.alibaba.fastjson.parser.ParserConfig)Ljava.lang.Object; /.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class)Ljava.lang.Class; /.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;
Dependency tree--
[INFO] com.github.jsurfer:jsurfer-fastjson:jar:1.6.4 [INFO] +- com.github.jsurfer:jsurfer-core:jar:1.6.4:compile [INFO] | \- org.antlr:antlr4-runtime:jar:4.7.2:compile [INFO] +- com.alibaba:fastjson:jar:1.2.76:compile [INFO] +- ch.qos.logback:logback-classic:jar:1.2.0:test [INFO] | +- ch.qos.logback:logback-core:jar:1.2.0:test [INFO] | \- org.slf4j:slf4j-api:jar:1.7.22:test [INFO] +- org.mockito:mockito-all:jar:1.10.19:test [INFO] +- junit:junit:jar:4.13.1:test [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] \- com.google.guava:guava-io:jar:r03:test [INFO] +- com.google.guava:guava-annotations:jar:r03:test [INFO] \- com.google.guava:guava-base:jar:r03:test
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In /jsurfer-fastjson,there is a dependency com.alibaba:fastjson:1.2.76 that calls the risk method.
CVE-2022-25845
The scope of this CVE affected version is [,1.2.83)
After further analysis, in this project, the main Api called is com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 6
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.