CVEDetect opened a new issue, #179: URL: https://github.com/apache/shardingsphere-elasticjob-ui/issues/179
Hi, in **tlog-webroot/**,there is a dependency **org.apache.tomcat.embed:tomcat-embed-core:8.5.40 ** that calls the risk method. [CVE-2019-17563](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563) The scope of this CVE affected version is **[9.0.0.M1, 9.0.30),[8.5.0,8.5.50),[,7.0.99)** After further analysis, in this project, the main Api called is **org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)** Risk method repair link : [GitHub](https://github.com/apache/tomcat/commit/e19a202) **CVE Bug Invocation Path--** **Path Length : 8** ``` org.apache.shardingsphere.elasticjob.cloud.ui.security.AuthenticationFilter: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse,javax.servlet.FilterChain)V /.m2/repository/org/springframework/spring-core/4.3.24.RELEASE/spring-core-4.3.24.RELEASE.jar org.apache.catalina.core.ApplicationFilterChain: doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse)V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar org.apache.catalina.core.ApplicationFilterChain: internalDoFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse)V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar org.apache.catalina.connector.Request: getUserPrincipal()Ljava.security.Principal; /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar org.apache.catalina.connector.Request: logout()V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar org.apache.catalina.authenticator.AuthenticatorBase: logout(org.apache.catalina.connector.Request)V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String)V /.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.40/tomcat-embed-el-8.5.40.jar org.apache.catalina.authenticator.AuthenticatorBase: register(org.apache.catalina.connector.Request,javax.servlet.http.HttpServletResponse,java.security.Principal,java.lang.String,java.lang.String,java.lang.String,boolean,boolean)V ``` **Dependency tree--** ``` [INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ shardingsphere-elasticjob-cloud-ui-backend --- [INFO] org.apache.shardingsphere:shardingsphere-elasticjob-cloud-ui-backend:jar:3.1.0-SNAPSHOT [INFO] +- org.apache.shardingsphere.elasticjob:elasticjob-cloud-common:jar:3.0.2:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-api:jar:3.0.2:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-infra-common:jar:3.0.2:compile [INFO] | | \- org.yaml:snakeyaml:jar:1.17:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-simple-executor:jar:3.0.2:compile [INFO] | | \- org.apache.shardingsphere.elasticjob:elasticjob-executor-kernel:jar:3.0.2:compile [INFO] | | \- org.apache.shardingsphere.elasticjob:elasticjob-error-handler-general:jar:3.0.2:compile [INFO] | | \- org.apache.shardingsphere.elasticjob:elasticjob-error-handler-spi:jar:3.0.2:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-dataflow-executor:jar:3.0.2:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-script-executor:jar:3.0.2:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-http-executor:jar:3.0.2:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-registry-center-zookeeper-curator:jar:3.0.2:compile [INFO] | | +- org.apache.shardingsphere.elasticjob:elasticjob-registry-center-api:jar:3.0.2:compile [INFO] | | +- org.apache.curator:curator-framework:jar:5.1.0:compile [INFO] | | +- org.apache.curator:curator-client:jar:5.1.0:compile [INFO] | | | \- org.apache.zookeeper:zookeeper:jar:3.6.0:compile [INFO] | | | +- commons-lang:commons-lang:jar:2.6:compile [INFO] | | | +- org.apache.zookeeper:zookeeper-jute:jar:3.6.0:compile [INFO] | | | +- org.apache.yetus:audience-annotations:jar:0.5.0:compile [INFO] | | | +- io.netty:netty-handler:jar:4.1.45.Final:compile [INFO] | | | | +- io.netty:netty-common:jar:4.1.45.Final:compile [INFO] | | | | +- io.netty:netty-buffer:jar:4.1.45.Final:compile [INFO] | | | | +- io.netty:netty-transport:jar:4.1.45.Final:compile [INFO] | | | | | \- io.netty:netty-resolver:jar:4.1.45.Final:compile [INFO] | | | | \- io.netty:netty-codec:jar:4.1.45.Final:compile [INFO] | | | +- io.netty:netty-transport-native-epoll:jar:4.1.45.Final:compile [INFO] | | | | \- io.netty:netty-transport-native-unix-common:jar:4.1.45.Final:compile [INFO] | | | \- log4j:log4j:jar:1.2.17:compile [INFO] | | \- org.apache.curator:curator-recipes:jar:5.1.0:compile [INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-tracing-rdb:jar:3.0.2:compile [INFO] | | \- org.apache.shardingsphere.elasticjob:elasticjob-tracing-api:jar:3.0.2:compile [INFO] | +- com.google.guava:guava:jar:29.0-jre:compile [INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile [INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] | | +- org.checkerframework:checker-qual:jar:2.11.1:compile [INFO] | | \- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile [INFO] | +- com.google.code.gson:gson:jar:2.8.5:compile [INFO] | +- org.quartz-scheduler:quartz:jar:2.3.2:compile [INFO] | | \- com.mchange:mchange-commons-java:jar:0.2.15:compile [INFO] | +- org.apache.commons:commons-lang3:jar:3.4:compile [INFO] | \- org.apache.commons:commons-exec:jar:1.3:compile [INFO] +- org.springframework.boot:spring-boot-starter-web:jar:1.5.21.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter:jar:1.5.21.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot:jar:1.5.21.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.21.RELEASE:compile [INFO] | | \- org.springframework.boot:spring-boot-starter-logging:jar:1.5.21.RELEASE:compile [INFO] | | \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile [INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.21.RELEASE:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.40:compile [INFO] | | | \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.40:compile [INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.40:compile [INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.40:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.11.3:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile [INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.8.11:compile [INFO] | +- org.springframework:spring-web:jar:4.3.24.RELEASE:compile [INFO] | | +- org.springframework:spring-aop:jar:4.3.24.RELEASE:compile [INFO] | | +- org.springframework:spring-beans:jar:4.3.24.RELEASE:compile [INFO] | | \- org.springframework:spring-context:jar:4.3.24.RELEASE:compile [INFO] | \- org.springframework:spring-webmvc:jar:4.3.24.RELEASE:compile [INFO] | \- org.springframework:spring-expression:jar:4.3.24.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:1.5.21.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-aop:jar:1.5.21.RELEASE:compile [INFO] | | \- org.aspectj:aspectjweaver:jar:1.8.14:compile [INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.21.RELEASE:compile [INFO] | | +- org.apache.tomcat:tomcat-jdbc:jar:8.5.40:compile [INFO] | | | \- org.apache.tomcat:tomcat-juli:jar:8.5.40:compile [INFO] | | \- org.springframework:spring-jdbc:jar:4.3.24.RELEASE:compile [INFO] | +- org.springframework.data:spring-data-jpa:jar:1.11.22.RELEASE:compile [INFO] | | +- org.springframework.data:spring-data-commons:jar:1.13.22.RELEASE:compile [INFO] | | +- org.springframework:spring-orm:jar:4.3.24.RELEASE:compile [INFO] | | \- org.springframework:spring-tx:jar:4.3.24.RELEASE:compile [INFO] | \- org.springframework:spring-aspects:jar:4.3.24.RELEASE:compile [INFO] +- org.springframework.boot:spring-boot-starter-test:jar:1.5.21.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test:jar:1.5.21.RELEASE:test [INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:1.5.21.RELEASE:test [INFO] | +- com.jayway.jsonpath:json-path:jar:2.2.0:test [INFO] | | \- net.minidev:json-smart:jar:2.2.1:test [INFO] | | \- net.minidev:accessors-smart:jar:1.1:test [INFO] | | \- org.ow2.asm:asm:jar:5.0.3:test [INFO] | +- org.assertj:assertj-core:jar:2.6.0:test [INFO] | +- org.mockito:mockito-core:jar:2.7.21:test [INFO] | | +- net.bytebuddy:byte-buddy:jar:1.6.11:test [INFO] | | +- net.bytebuddy:byte-buddy-agent:jar:1.6.11:test [INFO] | | \- org.objenesis:objenesis:jar:2.5:test [INFO] | +- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] | +- org.hamcrest:hamcrest-library:jar:1.3:test [INFO] | +- org.skyscreamer:jsonassert:jar:1.4.0:test [INFO] | | \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test [INFO] | +- org.springframework:spring-core:jar:4.3.24.RELEASE:compile [INFO] | \- org.springframework:spring-test:jar:4.3.24.RELEASE:test [INFO] +- org.apache.openjpa:openjpa:jar:3.1.2:compile [INFO] | +- org.apache.commons:commons-collections4:jar:4.4:compile [INFO] | +- net.sourceforge.serp:serp:jar:1.15.1:compile [INFO] | +- org.apache.geronimo.specs:geronimo-jta_1.1_spec:jar:1.1.1:compile [INFO] | +- org.apache.commons:commons-pool2:jar:2.4.3:compile [INFO] | +- org.apache.xbean:xbean-asm8-shaded:jar:4.17:compile [INFO] | \- org.apache.geronimo.specs:geronimo-jpa_2.2_spec:jar:1.1:compile [INFO] +- org.apache.commons:commons-dbcp2:jar:2.2.0:compile [INFO] | \- commons-logging:commons-logging:jar:1.2:compile [INFO] +- com.h2database:h2:jar:1.4.196:compile [INFO] +- commons-codec:commons-codec:jar:1.10:compile [INFO] +- javax.activation:javax.activation-api:jar:1.2.0:compile [INFO] +- javax.xml.bind:jaxb-api:jar:2.3.0:compile [INFO] +- com.sun.xml.bind:jaxb-core:jar:2.3.0:compile [INFO] +- com.sun.xml.bind:jaxb-impl:jar:2.3.0:compile [INFO] +- com.auth0:java-jwt:jar:3.18.2:compile [INFO] +- org.slf4j:slf4j-api:jar:1.7.26:compile [INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.26:compile [INFO] +- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile [INFO] +- org.projectlombok:lombok:jar:1.18.20:provided [INFO] +- junit:junit:jar:4.12:test [INFO] \- ch.qos.logback:logback-classic:jar:1.1.11:compile [INFO] \- ch.qos.logback:logback-core:jar:1.1.11:compile ``` **_Suggested solutions:_** Update dependency version Thank you very much. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
