search

weibocom / yar-java

Java implementation of Yar protocol
Apache License 2.0
12 stars 6 forks source link

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #6

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In yar-java-0.0.3,there is a dependency org.apache.httpcomponents:httpclient:4.3.6 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpHost getHttpHost(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[134]) in /home/wc/.m2/repository/org/apache/httpcomponents/httpclient/4.3.6/httpclient-4.3.6.jar
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[120]) in /home/wc/.m2/repository/org/apache/httpcomponents/httpclient/4.3.6/httpclient-4.3.6.jar
at <com.weibo.yar.yarclient.HttpYarClient: byte[] httpPost(java.lang.String,java.util.Map,byte[])> (com.weibo.yar.yarclient.HttpYarClient.java:[57]) in /home/wc/detect/unzip/yar-java-0.0.3/target/classes

Dependency tree--

[INFO] com.weibo:yar-java:jar:0.0.3
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.3.6:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.3.3:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.6:compile
[INFO] +- com.xk72:pherialize:jar:1.2.4:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.10.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.0:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.10.0:compile
[INFO] +- org.msgpack:msgpack:jar:0.6.12:compile
[INFO] |  +- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] |  \- org.javassist:javassist:jar:3.18.1-GA:compile
[INFO] \- io.netty:netty-all:jar:4.1.42.Final:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect commented 3 years ago

@rayzhang0603 Could please help me check this issue? May I pull a request to fix it? Thanks again.