search

xuexiangjys / XHttpApi

一个简单的spring boot搭建的api服务,为XHttp提供服务支持。包括:常用的数据库数据增、删、改、查,文件上传下载,全局异常捕获、权限认证、日志记录等。
50 stars 12 forks source link

Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem #4

Open CVEDetect opened 3 years ago

CVEDetect commented 3 years ago

Hi, In XHttpApi,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.16 that calls the risk method.

CVE-2019-10072

The scope of this CVE affected version is [8.5.0, 8.5.40) || [9.0.0.M1, 9.0.20)

After further analysis, in this project, the main Api called is <org.apache.coyote.http2.Http2UpgradeHandler: void close()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 9

<org.apache.coyote.http2.Http2UpgradeHandler: void close()>
at <org.apache.coyote.http2.Http2UpgradeHandler: void handleAppInitiatedIOException(java.io.IOException)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[714]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.http2.Http2UpgradeHandler: void writeHeaders(org.apache.coyote.http2.Stream,org.apache.coyote.Response,int)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[565]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.http2.Stream: void writeAck()> (org.apache.coyote.http2.Stream.java:[403]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.http2.StreamProcessor: void ack()> (org.apache.coyote.http2.StreamProcessor.java:[114]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.AbstractProcessor: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.AbstractProcessor.java:[276]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.Request: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.Request.java:[424, 426]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.catalina.connector.Request: java.lang.String getRemoteAddr()> (org.apache.catalina.connector.Request.java:[1289]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <com.xuexiang.xhttpapi.utils.IpUtils: java.lang.String getIpAddr(javax.servlet.http.HttpServletRequest)> (com.xuexiang.xhttpapi.utils.IpUtils.java:[54]) in /detect/unzip/XHttpApi-master/target/classes

Dependency tree--

[INFO] com.xuexiang:xhttpapi:jar:1.0.0
[INFO] +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.6.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:1.5.6.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.5.6.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:1.5.6.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.1.11:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.1.11:compile
[INFO] |  |  |  +- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
[INFO] |  |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO] |  |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.17:runtime
[INFO] |  +- org.apache.tomcat:tomcat-jdbc:jar:8.5.16:compile
[INFO] |  |  \- org.apache.tomcat:tomcat-juli:jar:8.5.16:compile
[INFO] |  \- org.springframework:spring-jdbc:jar:4.3.10.RELEASE:compile
[INFO] |     +- org.springframework:spring-beans:jar:4.3.10.RELEASE:compile
[INFO] |     \- org.springframework:spring-tx:jar:4.3.10.RELEASE:compile
[INFO] +- org.mybatis.spring.boot:mybatis-spring-boot-starter:jar:1.3.0:compile
[INFO] |  +- org.mybatis.spring.boot:mybatis-spring-boot-autoconfigure:jar:1.3.0:compile
[INFO] |  +- org.mybatis:mybatis:jar:3.4.4:compile
[INFO] |  \- org.mybatis:mybatis-spring:jar:1.3.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:1.5.6.RELEASE:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring4:jar:2.1.5.RELEASE:compile
[INFO] |  |  +- org.thymeleaf:thymeleaf:jar:2.1.5.RELEASE:compile
[INFO] |  |  |  +- ognl:ognl:jar:3.0.8:compile
[INFO] |  |  |  +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  |  |  \- org.unbescape:unbescape:jar:1.1.0.RELEASE:compile
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] |  \- nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect:jar:1.4.0:compile
[INFO] |     \- org.codehaus.groovy:groovy:jar:2.4.12:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.6.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.6.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.16:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.16:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.16:compile
[INFO] |  +- org.hibernate:hibernate-validator:jar:5.3.5.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.3.1.Final:compile
[INFO] |  |  \- com.fasterxml:classmate:jar:1.3.3:compile
[INFO] |  +- org.springframework:spring-web:jar:4.3.10.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-aop:jar:4.3.10.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-context:jar:4.3.10.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:4.3.10.RELEASE:compile
[INFO] |     \- org.springframework:spring-expression:jar:4.3.10.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:1.5.6.RELEASE:compile
[INFO] |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.10.RELEASE:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.35:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.47:compile
[INFO] +- com.alibaba:druid:jar:1.0.11:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.8.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.9:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.8.9:compile
[INFO] |  \- joda-time:joda-time:jar:2.9.9:compile
[INFO] +- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.8.9:compile
[INFO] +- com.github.pagehelper:pagehelper-spring-boot-starter:jar:1.1.2:compile
[INFO] |  +- com.github.pagehelper:pagehelper-spring-boot-autoconfigure:jar:1.1.2:compile
[INFO] |  \- com.github.pagehelper:pagehelper:jar:5.0.3:compile
[INFO] |     \- com.github.jsqlparser:jsqlparser:jar:1.0:compile
[INFO] +- com.alibaba:druid-spring-boot-starter:jar:1.1.0:compile
[INFO] |  \- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.6.RELEASE:compile
[INFO] +- io.jsonwebtoken:jjwt:jar:0.9.0:compile
[INFO] +- org.aspectj:aspectjweaver:jar:1.8.13:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] +- org.apache.commons:commons-collections4:jar:4.1:compile
[INFO] \- org.assertj:assertj-core:jar:2.6.0:compile

Suggested solutions:

Update dependency version to 8.5.40 or higher

Thank you very much.

CVEDetect commented 3 years ago

@xuexiangjys Could please help me check this issue? May I pull a request to fix it? Thanks again.