You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@shardingsphere.apache.org by GitBox <gi...@apache.org> on 2022/11/23 08:54:35 UTC
[GitHub] [shardingsphere-elasticjob] CVEDetect opened a new issue, #2153: Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
CVEDetect opened a new issue, #2153:
URL: https://github.com/apache/shardingsphere-elasticjob/issues/2153
Hi, in **elasticjob-ecosystem/elasticjob-error-handler/elasticjob-error-handler-type/elasticjob-error-handler-dingtalk/**, there is a dependency **org.apache.httpcomponents:httpclient:4.5.12
** that calls the risk method.
[CVE-2020-13956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13956)
The scope of this CVE affected version is **[,4.5.13)**
After further analysis, in this project, the main Api called is **org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost**
Risk method repair link : [GitHub](https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e)
**CVE Bug Invocation Path--**
**Path Length : 5**
```
org.apache.shardingsphere.elasticjob.error.handler.dingtalk.DingtalkJobErrorHandler: handleException(java.lang.String,java.lang.Throwable) .m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;
```
**Dependency tree--**
```
[INFO] org.apache.shardingsphere.elasticjob:elasticjob-error-handler-dingtalk:jar:3.1.0-SNAPSHOT
[INFO] +- org.apache.shardingsphere.elasticjob:elasticjob-error-handler-spi:jar:3.1.0-SNAPSHOT:compile
[INFO] | \- org.apache.shardingsphere.elasticjob:elasticjob-infra-common:jar:3.1.0-SNAPSHOT:compile
[INFO] | +- org.apache.shardingsphere.elasticjob:elasticjob-api:jar:3.1.0-SNAPSHOT:compile
[INFO] | +- com.google.guava:guava:jar:29.0-jre:compile
[INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] | | +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] | | +- org.checkerframework:checker-qual:jar:2.11.1:compile
[INFO] | | \- com.google.errorprone:error_prone_annotations:jar:2.3.4:compile
[INFO] | +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] | +- org.yaml:snakeyaml:jar:1.26:compile
[INFO] | \- com.google.code.gson:gson:jar:2.6.1:compile
[INFO] +- org.apache.shardingsphere.elasticjob:elasticjob-error-handler-general:jar:3.1.0-SNAPSHOT:compile
[INFO] +- org.apache.shardingsphere.elasticjob:elasticjob-restful:jar:3.1.0-SNAPSHOT:test
[INFO] | +- io.netty:netty-codec-http:jar:4.1.59.Final:test
[INFO] | | +- io.netty:netty-buffer:jar:4.1.59.Final:test
[INFO] | | \- io.netty:netty-handler:jar:4.1.59.Final:test
[INFO] | +- io.netty:netty-common:jar:4.1.59.Final:test
[INFO] | +- io.netty:netty-codec:jar:4.1.59.Final:test
[INFO] | \- io.netty:netty-transport:jar:4.1.59.Final:test
[INFO] | \- io.netty:netty-resolver:jar:4.1.59.Final:test
[INFO] +- org.projectlombok:lombok:jar:1.18.24:provided
[INFO] +- org.slf4j:slf4j-api:jar:1.7.7:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.12:compile
[INFO] | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.13:compile
[INFO] +- org.mockito:mockito-core:jar:4.8.0:test
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.12.14:test
[INFO] | +- net.bytebuddy:byte-buddy-agent:jar:1.12.14:test
[INFO] | \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- junit:junit:jar:4.12:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:2.2:test
[INFO] | \- org.hamcrest:hamcrest:jar:2.2:test
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.3:test
[INFO] | \- ch.qos.logback:logback-core:jar:1.2.3:test
[INFO] +- org.slf4j:log4j-over-slf4j:jar:1.7.7:test
[INFO] \- org.slf4j:jcl-over-slf4j:jar:1.7.7:test
```
**_Suggested solutions:_**
Update dependency version
Thank you very much.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@shardingsphere.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [shardingsphere-elasticjob] CVEDetect closed issue #2153: Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
Posted by GitBox <gi...@apache.org>.
CVEDetect closed issue #2153: Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
URL: https://github.com/apache/shardingsphere-elasticjob/issues/2153
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@shardingsphere.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org