You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@helix.apache.org by GitBox <gi...@apache.org> on 2021/10/06 05:25:09 UTC
[GitHub] [helix] CVEDetect opened a new issue #1890: Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
CVEDetect opened a new issue #1890:
URL: https://github.com/apache/helix/issues/1890
Hi, In **helix-helix/helix-rest**,there is a dependency **org.apache.httpcomponents:httpclient:4.5.8** that calls the risk method.
[CVE-2020-13956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956)
The scope of this CVE affected version is **[,3.4.14),[3.5.0-alpha, 3.5.5)**
After further analysis, in this project, the main Api called is **<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>**
Risk method repair link : [GitHub](https://github.com/apache/httpcomponents-client/commit/894234a5aeb9958e7e466c383e4d0ded17a9a813#diff-a169c0c63c537750e3394f7e1407252053ffbc489181450a6c361cd7f8f67a22)
**CVE Bug Invocation Path--**
**Path Length : 4**
```
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpHost getHttpHost(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[137]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.8/httpclient-4.5.8.jar
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[123]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.8/httpclient-4.5.8.jar
at <org.apache.helix.rest.client.CustomRestClientImpl: org.apache.http.HttpResponse post(java.lang.String,java.util.Map)> (org.apache.helix.rest.client.CustomRestClientImpl.java:[132]) in /detect/unzip/helix-helix-1.0.1/helix-rest/target/classes
```
**Dependency tree--**
```
[INFO] org.apache.helix:helix-rest:bundle:1.0.1
[INFO] +- org.apache.helix:metadata-store-directory-common:jar:1.0.1:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.8:compile
[INFO] | | +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] | | \- commons-logging:commons-logging:jar:1.2:compile
[INFO] | \- com.google.guava:guava:jar:20.0:compile
[INFO] +- org.yaml:snakeyaml:jar:1.17:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.14:compile
[INFO] | \- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.apache.helix:helix-core:jar:1.0.1:compile
[INFO] | +- org.apache.helix:helix-common:jar:1.0.1:compile
[INFO] | | +- org.apache.helix:metrics-common:jar:1.0.1:compile
[INFO] | | \- org.apache.helix:zookeeper-api:jar:1.0.1:compile
[INFO] | | \- org.apache.zookeeper:zookeeper:jar:3.4.13:compile
[INFO] | | +- jline:jline:jar:0.9.94:compile
[INFO] | | +- org.apache.yetus:audience-annotations:jar:0.5.0:compile
[INFO] | | \- io.netty:netty:jar:3.10.6.Final:compile
[INFO] | +- commons-io:commons-io:jar:1.4:compile
[INFO] | +- org.apache.commons:commons-math:jar:2.1:compile
[INFO] | +- org.apache.commons:commons-math3:jar:3.6.1:compile
[INFO] | +- commons-codec:commons-codec:jar:1.6:compile
[INFO] | \- io.dropwizard.metrics:metrics-core:jar:3.2.3:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] +- org.eclipse.jetty:jetty-server:jar:9.1.0.RC0:compile
[INFO] | +- javax.servlet:javax.servlet-api:jar:3.1.0:compile
[INFO] | +- org.eclipse.jetty:jetty-http:jar:9.1.0.RC0:compile
[INFO] | | \- org.eclipse.jetty:jetty-util:jar:9.1.0.RC0:compile
[INFO] | \- org.eclipse.jetty:jetty-io:jar:9.1.0.RC0:compile
[INFO] +- org.glassfish.jersey.core:jersey-server:jar:2.10:compile
[INFO] | +- org.glassfish.jersey.core:jersey-common:jar:2.10:compile
[INFO] | | +- org.glassfish.jersey.bundles.repackaged:jersey-guava:jar:2.10:compile
[INFO] | | \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.1:compile
[INFO] | +- org.glassfish.jersey.core:jersey-client:jar:2.10:compile
[INFO] | +- javax.ws.rs:javax.ws.rs-api:jar:2.0:compile
[INFO] | +- javax.annotation:javax.annotation-api:jar:1.2:compile
[INFO] | +- org.glassfish.hk2:hk2-api:jar:2.3.0-b05:compile
[INFO] | | +- org.glassfish.hk2:hk2-utils:jar:2.3.0-b05:compile
[INFO] | | \- org.glassfish.hk2.external:aopalliance-repackaged:jar:2.3.0-b05:compile
[INFO] | +- org.glassfish.hk2.external:javax.inject:jar:2.3.0-b05:compile
[INFO] | +- org.glassfish.hk2:hk2-locator:jar:2.3.0-b05:compile
[INFO] | | \- org.javassist:javassist:jar:3.18.1-GA:compile
[INFO] | \- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] +- org.eclipse.jetty:jetty-servlet:jar:9.1.0.RC0:compile
[INFO] | \- org.eclipse.jetty:jetty-security:jar:9.1.0.RC0:compile
[INFO] +- org.glassfish.jersey.containers:jersey-container-jetty-http:jar:2.9:compile
[INFO] | \- org.eclipse.jetty:jetty-continuation:jar:9.1.1.v20140108:compile
[INFO] +- org.glassfish.jersey.containers:jersey-container-servlet-core:jar:2.9:compile
[INFO] +- org.glassfish.jersey.containers:jersey-container-grizzly2-servlet:jar:2.9:compile
[INFO] | +- org.glassfish.jersey.containers:jersey-container-servlet:jar:2.9:compile
[INFO] | +- org.glassfish.jersey.containers:jersey-container-grizzly2-http:jar:2.9:compile
[INFO] | | \- org.glassfish.grizzly:grizzly-http-server:jar:2.3.8:compile
[INFO] | | \- org.glassfish.grizzly:grizzly-http:jar:2.3.8:compile
[INFO] | | \- org.glassfish.grizzly:grizzly-framework:jar:2.3.8:compile
[INFO] | \- org.glassfish.grizzly:grizzly-http-servlet:jar:2.3.8:compile
[INFO] | \- org.ow2.asm:asm-debug-all:jar:5.0.2:compile
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.3.1:compile
[INFO] | \- xpp3:xpp3_min:jar:1.1.4c:compile
[INFO] +- org.codehaus.jackson:jackson-core-asl:jar:1.8.5:compile
[INFO] +- org.codehaus.jackson:jackson-mapper-asl:jar:1.8.5:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.5:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.10.1:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile
[INFO] +- commons-cli:commons-cli:jar:1.2:compile
```
**_Suggested solutions:_**
Update dependency version
Thank you very much.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] CVEDetect closed issue #1890: Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
Posted by GitBox <gi...@apache.org>.
CVEDetect closed issue #1890:
URL: https://github.com/apache/helix/issues/1890
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org
[GitHub] [helix] CVEDetect commented on issue #1890: Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
Posted by GitBox <gi...@apache.org>.
CVEDetect commented on issue #1890:
URL: https://github.com/apache/helix/issues/1890#issuecomment-935487218
@lei-xia
Could please help me check this issue?
May I pull a request to fix it?
Thanks again.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@helix.apache.org
For additional commands, e-mail: reviews-help@helix.apache.org