Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
CVEDetect opened this issue · 2 comments
CVEDetect commented
Hi, In best-pay-sdk-1.3.2(best-pay-sdk),there is a dependency org.apache.httpcomponents:httpclient:4.5.3 that calls the risk method.
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[93]) in /home/wc/.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[83]) in /home/wc/.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[108]) in /home/wc/.m2/repository/org/apache/httpcomponents/httpclient/4.5.3/httpclient-4.5.3.jar
at <com.lly835.bestpay.utils.HttpRequestUtil: java.lang.String post(java.lang.String,java.lang.String)> (com.lly835.bestpay.utils.HttpRequestUtil.java:[42]) in /home/wc/detect/unzip/best-pay-sdk-1.3.2-SNAPSHOT/best-pay-sdk/target/classes
Dependency tree--
[INFO] cn.springboot:best-pay-sdk:jar:1.3.2-SNAPSHOT
[INFO] +- org.projectlombok:lombok:jar:1.16.14:compile
[INFO] +- junit:junit:jar:4.12:compile
[INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.5:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.6:compile
[INFO] | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | \- commons-codec:commons-codec:jar:1.9:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.10.1:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.10:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.1.7:compile
[INFO] | +- ch.qos.logback:logback-core:jar:1.1.7:compile
[INFO] | \- org.slf4j:slf4j-api:jar:1.7.20:compile
[INFO] +- joda-time:joda-time:jar:2.9.4:compile
[INFO] +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.50:compile
[INFO] | \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.50:compile
[INFO] +- com.squareup.retrofit2:retrofit:jar:2.5.0:compile
[INFO] | \- com.squareup.okhttp3:okhttp:jar:3.12.0:compile
[INFO] | \- com.squareup.okio:okio:jar:1.15.0:compile
[INFO] +- com.squareup.retrofit2:converter-simplexml:jar:2.5.0:compile
[INFO] | \- org.simpleframework:simple-xml:jar:2.7.1:compile
[INFO] | +- stax:stax-api:jar:1.0.1:compile
[INFO] | +- stax:stax:jar:1.2.0:compile
[INFO] | \- xpp3:xpp3:jar:1.1.3.3:compile
[INFO] +- com.squareup.retrofit2:converter-gson:jar:2.5.0:compile
[INFO] | \- com.google.code.gson:gson:jar:2.8.2:compile
[INFO] +- com.squareup.okhttp3:logging-interceptor:jar:3.12.0:compile
[INFO] \- org.bouncycastle:bcprov-jdk15on:jar:1.59:compile
Suggested solutions:
Update dependency version to 4.5.13 or higher
Thank you very much.