[GitHub] [shardingsphere-elasticjob] CVEDetect opened a new issue, #2153: Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

GitBox Wed, 23 Nov 2022 00:55:13 -0800


CVEDetect opened a new issue, #2153:
URL: https://github.com/apache/shardingsphere-elasticjob/issues/2153


   Hi, in 
**elasticjob-ecosystem/elasticjob-error-handler/elasticjob-error-handler-type/elasticjob-error-handler-dingtalk/**,
 there is a dependency **org.apache.httpcomponents:httpclient:4.5.12
   ** that calls the risk method.
   
   
[CVE-2020-13956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956)
   
   The scope of this CVE affected version is **[,4.5.13)**
   
   After further analysis, in this project, the main Api called is 
**org.apache.http.client.utils.URIUtils: 
extractHost(java.net.URI)Lorg.apache.http.HttpHost**
   
   Risk method repair link : 
[GitHub](https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e)
   
   **CVE Bug Invocation Path--**
   
   **Path Length : 5**
   
   ```
   
org.apache.shardingsphere.elasticjob.error.handler.dingtalk.DingtalkJobErrorHandler:
 handleException(java.lang.String,java.lang.Throwable) 
.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar
   org.apache.http.impl.client.CloseableHttpClient: 
execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.client.methods.CloseableHttpResponse;
 .m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
   org.apache.http.impl.client.CloseableHttpClient: 
execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse;
 .m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
   org.apache.http.impl.client.CloseableHttpClient: 
determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost;
 .m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
   org.apache.http.client.utils.URIUtils: 
extractHost(java.net.URI)Lorg.apache.http.HttpHost;
   ```
   **Dependency tree--**
   
   ```
   [INFO] 
org.apache.shardingsphere.elasticjob:elasticjob-error-handler-dingtalk:jar:3.1.0-SNAPSHOT
   [INFO] +- 
org.apache.shardingsphere.elasticjob:elasticjob-error-handler-spi:jar:3.1.0-SNAPSHOT:compile
   [INFO] |  \- 
org.apache.shardingsphere.elasticjob:elasticjob-infra-common:jar:3.1.0-SNAPSHOT:compile
   [INFO] |     +- 
org.apache.shardingsphere.elasticjob:elasticjob-api:jar:3.1.0-SNAPSHOT:compile
   [INFO] |     +- com.google.guava:guava:jar:29.0-jre:compile
   [INFO] |     |  +- com.google.guava:failureaccess:jar:1.0.1:compile
   [INFO] |     |  +- 
com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
   [INFO] |     |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
   [INFO] |     |  +- org.checkerframework:checker-qual:jar:2.11.1:compile
   [INFO] |     |  \- 
com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
   [INFO] |     +- org.apache.commons:commons-lang3:jar:3.4:compile
   [INFO] |     +- org.yaml:snakeyaml:jar:1.26:compile
   [INFO] |     \- com.google.code.gson:gson:jar:2.6.1:compile
   [INFO] +- 
org.apache.shardingsphere.elasticjob:elasticjob-error-handler-general:jar:3.1.0-SNAPSHOT:compile
   [INFO] +- 
org.apache.shardingsphere.elasticjob:elasticjob-restful:jar:3.1.0-SNAPSHOT:test
   [INFO] |  +- io.netty:netty-codec-http:jar:4.1.59.Final:test
   [INFO] |  |  +- io.netty:netty-buffer:jar:4.1.59.Final:test
   [INFO] |  |  \- io.netty:netty-handler:jar:4.1.59.Final:test
   [INFO] |  +- io.netty:netty-common:jar:4.1.59.Final:test
   [INFO] |  +- io.netty:netty-codec:jar:4.1.59.Final:test
   [INFO] |  \- io.netty:netty-transport:jar:4.1.59.Final:test
   [INFO] |     \- io.netty:netty-resolver:jar:4.1.59.Final:test
   [INFO] +- org.projectlombok:lombok:jar:1.18.24:provided
   [INFO] +- org.slf4j:slf4j-api:jar:1.7.7:compile
   [INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
   [INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
   [INFO] |  \- commons-codec:commons-codec:jar:1.10:compile
   [INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
   [INFO] +- org.mockito:mockito-core:jar:4.8.0:test
   [INFO] |  +- net.bytebuddy:byte-buddy:jar:1.12.14:test
   [INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.12.14:test
   [INFO] |  \- org.objenesis:objenesis:jar:3.2:test
   [INFO] +- junit:junit:jar:4.12:test
   [INFO] |  \- org.hamcrest:hamcrest-core:jar:2.2:test
   [INFO] |     \- org.hamcrest:hamcrest:jar:2.2:test
   [INFO] +- ch.qos.logback:logback-classic:jar:1.2.3:test
   [INFO] |  \- ch.qos.logback:logback-core:jar:1.2.3:test
   [INFO] +- org.slf4j:log4j-over-slf4j:jar:1.7.7:test
   [INFO] \- org.slf4j:jcl-over-slf4j:jar:1.7.7:test
   ```
   
   **_Suggested solutions:_**
   
   Update dependency version
   
   
   
   Thank you very much.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: 
[email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [shardingsphere-elasticjob] CVEDetect opened a new issue, #2153: Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

Reply via email to