Dependency org.apache.httpcomponents:httpclient-cache, leading to CVE problem
CVEDetect opened this issue · comments
Hi, In /plumelog-core,there is a dependency **org.apache.httpcomponents:httpclient:jar:4.5.9
** that calls the risk method.
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
com.plumelog.core.util.HttpClient: doPostBody(java.lang.String,java.lang.String)Ljava.lang.String; /.m2/repository/org/apache/kafka/kafka-clients/2.5.0/kafka-clients-2.5.0.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.client.methods.CloseableHttpResponse; /.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse; /.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; /.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;
Dependency tree--
[INFO] com.plumelog:plumelog-core:jar:3.5.3
[INFO] +- redis.clients:jedis:jar:3.3.0:compile
[INFO] | \- org.apache.commons:commons-pool2:jar:2.6.2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.2:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-core:jar:2.11.2:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:4.0.1:provided
[INFO] +- org.springframework:spring-webflux:jar:5.1.18.RELEASE:provided
[INFO] | +- io.projectreactor:reactor-core:jar:3.2.20.RELEASE:provided
[INFO] | | \- org.reactivestreams:reactive-streams:jar:1.0.2:provided
[INFO] | +- org.springframework:spring-beans:jar:5.1.18.RELEASE:provided
[INFO] | +- org.springframework:spring-core:jar:5.1.18.RELEASE:provided
[INFO] | | \- org.springframework:spring-jcl:jar:5.1.18.RELEASE:provided
[INFO] | \- org.springframework:spring-web:jar:5.1.18.RELEASE:provided
[INFO] +- org.springframework:spring-webmvc:jar:5.1.9.RELEASE:provided
[INFO] | +- org.springframework:spring-aop:jar:5.1.9.RELEASE:provided
[INFO] | +- org.springframework:spring-context:jar:5.1.9.RELEASE:provided
[INFO] | \- org.springframework:spring-expression:jar:5.1.9.RELEASE:provided
[INFO] +- org.apache.kafka:kafka-clients:jar:2.5.0:compile
[INFO] | +- com.github.luben:zstd-jni:jar:1.4.4-7:compile
[INFO] | +- org.lz4:lz4-java:jar:1.7.1:compile
[INFO] | \- org.xerial.snappy:snappy-java:jar:1.1.7.3:compile
[INFO] +- com.alibaba:transmittable-thread-local:jar:2.11.5:compile
[INFO] +- com.google.guava:guava:jar:29.0-jre:compile
[INFO] | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | +- org.checkerframework:checker-qual:jar:2.11.1:compile
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.9:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] +- commons-logging:commons-logging:jar:1.2:compile
[INFO] \- commons-codec:commons-codec:jar:1.11:compile
Suggested solutions:
Update dependency version
Thank you very much.