<org.apache.coyote.http2.Http2UpgradeHandler: void close()>
at <org.apache.coyote.http2.Http2UpgradeHandler: void handleAppInitiatedIOException(java.io.IOException)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[714]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.http2.Http2UpgradeHandler: void writeHeaders(org.apache.coyote.http2.Stream,org.apache.coyote.Response,int)> (org.apache.coyote.http2.Http2UpgradeHandler.java:[565]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.http2.Stream: void writeAck()> (org.apache.coyote.http2.Stream.java:[403]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.http2.StreamProcessor: void ack()> (org.apache.coyote.http2.StreamProcessor.java:[114]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.AbstractProcessor: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.AbstractProcessor.java:[276]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.coyote.Request: void action(org.apache.coyote.ActionCode,java.lang.Object)> (org.apache.coyote.Request.java:[424, 426]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <org.apache.catalina.connector.Request: java.lang.String getRemoteAddr()> (org.apache.catalina.connector.Request.java:[1289]) in /.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
at <com.xuexiang.xhttpapi.utils.IpUtils: java.lang.String getIpAddr(javax.servlet.http.HttpServletRequest)> (com.xuexiang.xhttpapi.utils.IpUtils.java:[54]) in /detect/unzip/XHttpApi-master/target/classes
Hi, In XHttpApi,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.16 that calls the risk method.
CVE-2019-10072
The scope of this CVE affected version is [8.5.0, 8.5.40) || [9.0.0.M1, 9.0.20)
After further analysis, in this project, the main Api called is <org.apache.coyote.http2.Http2UpgradeHandler: void close()>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 9
Dependency tree--
Suggested solutions:
Update dependency version to 8.5.40 or higher
Thank you very much.