Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

Question

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

CVEDetect opened this issue a year ago · comments

Hi, In /karma-jsonld，there is a dependency org.apache.httpcomponents:httpclient-osgi:4.5.2 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

com.github.jsonldjava.core.DocumentLoader: openStreamFromURL(java.net.URL)Ljava.io.InputStream; /download/apache-maven-3.6.3/repository_mount/io/dropwizard/metrics/metrics-core/3.1.5/metrics-core-3.1.5.jar
org.apache.http.impl.client.DecompressingHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpResponse; /download/apache-maven-3.6.3/repository_mount/io/dropwizard/metrics/metrics-core/3.1.5/metrics-core-3.1.5.jar
org.apache.http.impl.client.DecompressingHttpClient: getHttpHost(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; /download/apache-maven-3.6.3/repository_mount/io/dropwizard/metrics/metrics-core/3.1.5/metrics-core-3.1.5.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] edu.isi:karma-jsonld:jar:0.0.1-SNAPSHOT
[INFO] +- org.json:json:jar:20141113:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.0:compile
[INFO] +- commons-io:commons-io:jar:2.7:compile
[INFO] +- org.apache.spark:spark-core_2.11:jar:2.4.5:compile
[INFO] |  +- com.thoughtworks.paranamer:paranamer:jar:2.8:compile
[INFO] |  +- org.apache.avro:avro:jar:1.8.2:compile
[INFO] |  |  +- org.codehaus.jackson:jackson-core-asl:jar:1.9.13:compile
[INFO] |  |  +- org.codehaus.jackson:jackson-mapper-asl:jar:1.9.13:compile
[INFO] |  |  +- org.apache.commons:commons-compress:jar:1.8.1:compile
[INFO] |  |  \- org.tukaani:xz:jar:1.5:compile
[INFO] |  +- org.apache.avro:avro-mapred:jar:hadoop2:1.8.2:compile
[INFO] |  |  \- org.apache.avro:avro-ipc:jar:1.8.2:compile
[INFO] |  +- com.twitter:chill_2.11:jar:0.9.3:compile
[INFO] |  |  \- com.esotericsoftware:kryo-shaded:jar:4.0.2:compile
[INFO] |  |     \- com.esotericsoftware:minlog:jar:1.3.0:compile
[INFO] |  +- com.twitter:chill-java:jar:0.9.3:compile
[INFO] |  +- org.apache.xbean:xbean-asm6-shaded:jar:4.8:compile
[INFO] |  +- org.apache.hadoop:hadoop-client:jar:2.6.5:compile
[INFO] |  |  +- org.apache.hadoop:hadoop-common:jar:2.6.5:compile
[INFO] |  |  |  +- xmlenc:xmlenc:jar:0.52:compile
[INFO] |  |  |  +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] |  |  |  +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  |  |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  |  |  +- commons-configuration:commons-configuration:jar:1.6:compile
[INFO] |  |  |  |  \- commons-digester:commons-digester:jar:1.8:compile
[INFO] |  |  |  |     \- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] |  |  |  +- com.google.protobuf:protobuf-java:jar:2.5.0:compile
[INFO] |  |  |  +- com.google.code.gson:gson:jar:2.2.4:compile
[INFO] |  |  |  +- org.apache.hadoop:hadoop-auth:jar:2.6.5:compile
[INFO] |  |  |  |  \- org.apache.directory.server:apacheds-kerberos-codec:jar:2.0.0-M15:compile
[INFO] |  |  |  |     +- org.apache.directory.server:apacheds-i18n:jar:2.0.0-M15:compile
[INFO] |  |  |  |     +- org.apache.directory.api:api-asn1-api:jar:1.0.0-M20:compile
[INFO] |  |  |  |     \- org.apache.directory.api:api-util:jar:1.0.0-M20:compile
[INFO] |  |  |  +- org.apache.curator:curator-client:jar:2.6.0:compile
[INFO] |  |  |  \- org.htrace:htrace-core:jar:3.0.4:compile
[INFO] |  |  +- org.apache.hadoop:hadoop-hdfs:jar:2.6.5:compile
[INFO] |  |  |  +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile
[INFO] |  |  |  \- xerces:xercesImpl:jar:2.9.1:compile
[INFO] |  |  |     \- xml-apis:xml-apis:jar:1.3.04:compile
[INFO] |  |  +- org.apache.hadoop:hadoop-mapreduce-client-app:jar:2.6.5:compile
[INFO] |  |  |  +- org.apache.hadoop:hadoop-mapreduce-client-common:jar:2.6.5:compile
[INFO] |  |  |  |  +- org.apache.hadoop:hadoop-yarn-client:jar:2.6.5:compile
[INFO] |  |  |  |  \- org.apache.hadoop:hadoop-yarn-server-common:jar:2.6.5:compile
[INFO] |  |  |  \- org.apache.hadoop:hadoop-mapreduce-client-shuffle:jar:2.6.5:compile
[INFO] |  |  +- org.apache.hadoop:hadoop-yarn-api:jar:2.6.5:compile
[INFO] |  |  +- org.apache.hadoop:hadoop-mapreduce-client-core:jar:2.6.5:compile
[INFO] |  |  |  \- org.apache.hadoop:hadoop-yarn-common:jar:2.6.5:compile
[INFO] |  |  |     +- javax.xml.bind:jaxb-api:jar:2.2.2:compile
[INFO] |  |  |     |  \- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] |  |  |     +- org.codehaus.jackson:jackson-jaxrs:jar:1.9.13:compile
[INFO] |  |  |     \- org.codehaus.jackson:jackson-xc:jar:1.9.13:compile
[INFO] |  |  +- org.apache.hadoop:hadoop-mapreduce-client-jobclient:jar:2.6.5:compile
[INFO] |  |  \- org.apache.hadoop:hadoop-annotations:jar:2.6.5:compile
[INFO] |  +- org.apache.spark:spark-launcher_2.11:jar:2.4.5:compile
[INFO] |  +- org.apache.spark:spark-kvstore_2.11:jar:2.4.5:compile
[INFO] |  |  \- org.fusesource.leveldbjni:leveldbjni-all:jar:1.8:compile
[INFO] |  +- org.apache.spark:spark-network-common_2.11:jar:2.4.5:compile
[INFO] |  +- org.apache.spark:spark-network-shuffle_2.11:jar:2.4.5:compile
[INFO] |  +- org.apache.spark:spark-unsafe_2.11:jar:2.4.5:compile
[INFO] |  +- javax.activation:activation:jar:1.1.1:compile
[INFO] |  +- org.apache.curator:curator-recipes:jar:2.6.0:compile
[INFO] |  |  +- org.apache.curator:curator-framework:jar:2.6.0:compile
[INFO] |  |  \- com.google.guava:guava:jar:16.0.1:compile
[INFO] |  +- org.apache.zookeeper:zookeeper:jar:3.4.6:compile
[INFO] |  +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
[INFO] |  +- org.apache.commons:commons-math3:jar:3.4.1:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  +- org.slf4j:jul-to-slf4j:jar:1.7.16:compile
[INFO] |  +- log4j:log4j:jar:1.2.17:compile
[INFO] |  +- com.ning:compress-lzf:jar:1.0.3:compile
[INFO] |  +- org.xerial.snappy:snappy-java:jar:1.1.7.3:compile
[INFO] |  +- org.lz4:lz4-java:jar:1.4.0:compile
[INFO] |  +- com.github.luben:zstd-jni:jar:1.3.2-2:compile
[INFO] |  +- org.roaringbitmap:RoaringBitmap:jar:0.7.45:compile
[INFO] |  |  \- org.roaringbitmap:shims:jar:0.7.45:compile
[INFO] |  +- commons-net:commons-net:jar:3.1:compile
[INFO] |  +- org.scala-lang:scala-library:jar:2.11.12:compile
[INFO] |  +- org.json4s:json4s-jackson_2.11:jar:3.5.3:compile
[INFO] |  |  \- org.json4s:json4s-core_2.11:jar:3.5.3:compile
[INFO] |  |     +- org.json4s:json4s-ast_2.11:jar:3.5.3:compile
[INFO] |  |     +- org.json4s:json4s-scalap_2.11:jar:3.5.3:compile
[INFO] |  |     \- org.scala-lang.modules:scala-xml_2.11:jar:1.0.6:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-client:jar:2.22.2:compile
[INFO] |  |  +- javax.ws.rs:javax.ws.rs-api:jar:2.0.1:compile
[INFO] |  |  +- org.glassfish.hk2:hk2-api:jar:2.4.0-b34:compile
[INFO] |  |  |  +- org.glassfish.hk2:hk2-utils:jar:2.4.0-b34:compile
[INFO] |  |  |  \- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.4.0-b34:compile
[INFO] |  |  +- org.glassfish.hk2.external:javax.inject:jar:2.4.0-b34:compile
[INFO] |  |  \- org.glassfish.hk2:hk2-locator:jar:2.4.0-b34:compile
[INFO] |  |     \- org.javassist:javassist:jar:3.18.1-GA:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-common:jar:2.22.2:compile
[INFO] |  |  +- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] |  |  +- org.glassfish.jersey.bundles.repackaged:jersey-guava:jar:2.22.2:compile
[INFO] |  |  \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-server:jar:2.22.2:compile
[INFO] |  |  +- org.glassfish.jersey.media:jersey-media-jaxb:jar:2.22.2:compile
[INFO] |  |  \- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  +- org.glassfish.jersey.containers:jersey-container-servlet:jar:2.22.2:compile
[INFO] |  +- org.glassfish.jersey.containers:jersey-container-servlet-core:jar:2.22.2:compile
[INFO] |  +- io.netty:netty-all:jar:4.1.42.Final:compile
[INFO] |  +- io.netty:netty:jar:3.9.9.Final:compile
[INFO] |  +- com.clearspring.analytics:stream:jar:2.7.0:compile
[INFO] |  +- io.dropwizard.metrics:metrics-core:jar:3.1.5:compile
[INFO] |  +- io.dropwizard.metrics:metrics-jvm:jar:3.1.5:compile
[INFO] |  +- io.dropwizard.metrics:metrics-json:jar:3.1.5:compile
[INFO] |  +- io.dropwizard.metrics:metrics-graphite:jar:3.1.5:compile
[INFO] |  +- com.fasterxml.jackson.module:jackson-module-scala_2.11:jar:2.6.7.1:compile
[INFO] |  |  +- org.scala-lang:scala-reflect:jar:2.11.8:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-paranamer:jar:2.7.9:compile
[INFO] |  +- org.apache.ivy:ivy:jar:2.4.0:compile
[INFO] |  +- oro:oro:jar:2.0.8:compile
[INFO] |  +- net.razorvine:pyrolite:jar:4.13:compile
[INFO] |  +- net.sf.py4j:py4j:jar:0.10.7:compile
[INFO] |  +- org.apache.spark:spark-tags_2.11:jar:2.4.5:compile
[INFO] |  +- org.apache.commons:commons-crypto:jar:1.0.0:compile
[INFO] |  \- org.spark-project.spark:unused:jar:1.0.0:compile
[INFO] +- commons-cli:commons-cli:jar:1.2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.4.1:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.4:compile
[INFO] +- junit:junit:jar:4.13.1:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:runtime
[INFO] +- org.slf4j:slf4j-api:jar:1.7.9:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.9:runtime
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.9:test
[INFO] +- org.apache.httpcomponents:httpclient-osgi:jar:4.5.2:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] |  +- commons-codec:commons-codec:jar:1.9:compile
[INFO] |  +- org.apache.httpcomponents:httpmime:jar:4.5.2:compile
[INFO] |  +- org.apache.httpcomponents:httpclient-cache:jar:4.5.2:compile
[INFO] |  \- org.apache.httpcomponents:fluent-hc:jar:4.5.2:compile
[INFO] +- org.apache.httpcomponents:httpcore-osgi:jar:4.4.5:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.5:compile
[INFO] |  \- org.apache.httpcomponents:httpcore-nio:jar:4.4.5:compile
[INFO] +- org.mockito:mockito-core:jar:1.10.17:compile
[INFO] |  \- org.objenesis:objenesis:jar:2.1:compile
[INFO] \- com.jayway.jsonpath:json-path:jar:2.0.0:compile
[INFO]    \- net.minidev:json-smart:jar:2.1.1:compile
[INFO]       \- net.minidev:asm:jar:1.0.2:compile
[INFO]          \- asm:asm:jar:3.3.1:compile

Suggested solutions:

Update dependency version

Thank you very much.

namrata1012 · Answer 1 · Tue May 23 2023 13:34:45 GMT+0800 (China Standard Time)

Resolved in latest release