Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem
CVEDetect opened this issue · 1 comments
Hi, In jwt-spring-security-demo,there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.23 that calls the risk method.
The scope of this CVE affected version is [,7.0.89),[8.0.0, 8.0.53),[8.5.0, 8.5.32),[9.0.0, 9.0.9)
After further analysis, in this project, the main Api called is <org.apache.catalina.filters.CorsFilter: void handleSimpleCORS(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,javax.servlet.FilterChain)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
<org.apache.catalina.filters.CorsFilter: void handleSimpleCORS(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,javax.servlet.FilterChain)>
at <org.apache.catalina.filters.CorsFilter: void doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse,javax.servlet.FilterChain)> (org.apache.catalina.filters.CorsFilter.java:[161, 157]) in /home/wc/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
at <org.apache.catalina.core.ApplicationFilterChain: void internalDoFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse)> (org.apache.catalina.core.ApplicationFilterChain.java:[193]) in /home/wc/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
at <org.apache.catalina.core.ApplicationFilterChain: void doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse)> (org.apache.catalina.core.ApplicationFilterChain.java:[166]) in /home/wc/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
at <org.zerhusen.security.JwtAuthenticationTokenFilter: void doFilterInternal(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,javax.servlet.FilterChain)> (org.zerhusen.security.JwtAuthenticationTokenFilter.java:[70]) in /home/wc/detect/unzip/jwt-spring-security-demo-1.0.0/target/classes
Dependency tree--
[INFO] org.zerhusen:jwt-spring-security-demo:jar:0.2.0
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:1.5.9.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:1.5.9.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:1.5.9.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.9.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:1.5.9.RELEASE:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.1.11:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.1.11:compile
[INFO] | | | +- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO] | | | \- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.17:runtime
[INFO] | +- org.springframework.boot:spring-boot-starter-aop:jar:1.5.9.RELEASE:compile
[INFO] | | \- org.aspectj:aspectjweaver:jar:1.8.13:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.9.RELEASE:compile
[INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.23:compile
[INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.23:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:4.3.13.RELEASE:compile
[INFO] | +- org.hibernate:hibernate-core:jar:5.0.12.Final:compile
[INFO] | | +- org.jboss.logging:jboss-logging:jar:3.3.1.Final:compile
[INFO] | | +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO] | | +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] | | +- antlr:antlr:jar:2.7.7:compile
[INFO] | | +- org.jboss:jandex:jar:2.0.0.Final:compile
[INFO] | | \- org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:compile
[INFO] | +- org.hibernate:hibernate-entitymanager:jar:5.0.12.Final:compile
[INFO] | +- javax.transaction:javax.transaction-api:jar:1.2:compile
[INFO] | +- org.springframework.data:spring-data-jpa:jar:1.11.9.RELEASE:compile
[INFO] | | +- org.springframework.data:spring-data-commons:jar:1.13.9.RELEASE:compile
[INFO] | | +- org.springframework:spring-orm:jar:4.3.13.RELEASE:compile
[INFO] | | +- org.springframework:spring-context:jar:4.3.13.RELEASE:compile
[INFO] | | +- org.springframework:spring-tx:jar:4.3.13.RELEASE:compile
[INFO] | | +- org.springframework:spring-beans:jar:4.3.13.RELEASE:compile
[INFO] | | +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] | | \- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
[INFO] | \- org.springframework:spring-aspects:jar:4.3.13.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-rest:jar:1.5.9.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-web:jar:1.5.9.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.9.RELEASE:compile
[INFO] | | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.23:compile
[INFO] | | | | \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.23:compile
[INFO] | | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.23:compile
[INFO] | | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.23:compile
[INFO] | | +- org.hibernate:hibernate-validator:jar:5.3.6.Final:compile
[INFO] | | | +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] | | | \- com.fasterxml:classmate:jar:1.3.4:compile
[INFO] | | +- org.springframework:spring-web:jar:4.3.13.RELEASE:compile
[INFO] | | \- org.springframework:spring-webmvc:jar:4.3.13.RELEASE:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.10:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.8.10:compile
[INFO] | \- org.springframework.data:spring-data-rest-webmvc:jar:2.6.9.RELEASE:compile
[INFO] | \- org.springframework.data:spring-data-rest-core:jar:2.6.9.RELEASE:compile
[INFO] | +- org.springframework.hateoas:spring-hateoas:jar:0.23.0.RELEASE:compile
[INFO] | +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] | \- org.atteo:evo-inflector:jar:1.2.2:compile
[INFO] +- org.springframework.boot:spring-boot-starter-mobile:jar:1.5.9.RELEASE:compile
[INFO] | \- org.springframework.mobile:spring-mobile-device:jar:1.1.5.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:1.5.9.RELEASE:compile
[INFO] | +- org.springframework:spring-aop:jar:4.3.13.RELEASE:compile
[INFO] | +- org.springframework.security:spring-security-config:jar:4.2.3.RELEASE:compile
[INFO] | \- org.springframework.security:spring-security-web:jar:4.2.3.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:4.3.13.RELEASE:compile
[INFO] +- com.h2database:h2:jar:1.4.196:runtime
[INFO] +- io.jsonwebtoken:jjwt:jar:0.7.0:compile
[INFO] +- com.google.code.findbugs:findbugs:jar:3.0.1:compile
[INFO] | +- net.jcip:jcip-annotations:jar:1.0:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:2.0.1:compile
[INFO] | +- com.google.code.findbugs:bcel-findbugs:jar:6.0:compile
[INFO] | +- com.google.code.findbugs:jFormatString:jar:2.0.1:compile
[INFO] | +- dom4j:dom4j:jar:1.6.1:compile
[INFO] | | \- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | +- org.ow2.asm:asm-debug-all:jar:5.0.2:compile
[INFO] | +- org.ow2.asm:asm-commons:jar:5.0.2:compile
[INFO] | | \- org.ow2.asm:asm-tree:jar:5.0.2:compile
[INFO] | | \- org.ow2.asm:asm:jar:5.0.2:compile
[INFO] | +- commons-lang:commons-lang:jar:2.6:compile
[INFO] | +- com.apple:AppleJavaExtensions:jar:1.4:compile
[INFO] | \- jaxen:jaxen:jar:1.1.6:compile
[INFO] | +- org.springframework:spring-core:jar:4.3.13.RELEASE:compile
[INFO] \- org.springframework.security:spring-security-core:jar:4.2.3.RELEASE:compile
[INFO] \- aopalliance:aopalliance:jar:1.0:compile
Suggested solutions:
Update dependency version
Thank you very much.
@szerhusenBC
Could please help me check this issue?
May I pull a request to fix it?
Thanks again.