Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #5166

Open
CVEDetect opened this issue Nov 25, 2022 · 0 comments
Open

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #5166

CVEDetect opened this issue Nov 25, 2022 · 0 comments

Comments

@CVEDetect
Copy link

Hi, in repository/, there is a dependency org.apache.httpcomponents:httpclient:4.5.9 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

org.pentaho.platform.repository2.unified.jcr.JcrAclNodeHelper: setAclFor(org.pentaho.platform.api.repository2.unified.RepositoryFile,org.pentaho.platform.api.repository2.unified.RepositoryFileAcl) .m2/repository/com/sun/jersey/jersey-servlet/1.19.1/jersey-servlet-1.19.1.jar
org.pentaho.platform.engine.security.SecurityHelper: runAsSystem(java.util.concurrent.Callable)Ljava.lang.Object; .m2/repository/org/springframework/ldap/spring-ldap-core/2.3.2.RELEASE/spring-ldap-core-2.3.2.RELEASE.jar
org.apache.http.impl.client.HttpRequestTaskCallable: call()Ljava.lang.Object; .m2/repository/org/netbeans/mof/200507110943/mof-200507110943.jar
org.apache.http.impl.client.DecompressingHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.client.ResponseHandler,org.apache.http.protocol.HttpContext)Ljava.lang.Object; .m2/repository/org/netbeans/mof/200507110943/mof-200507110943.jar
org.apache.http.impl.client.DecompressingHttpClient: getHttpHost(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/org/netbeans/mof/200507110943/mof-200507110943.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] pentaho:pentaho-platform-repository:jar:9.5.0.0-SNAPSHOT
[INFO] +- commons-cli:commons-cli:jar:1.2:compile
[INFO] +- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- commons-dbcp:commons-dbcp:jar:1.4:compile
[INFO] +- commons-pool:commons-pool:jar:1.5.7:compile
[INFO] +- commons-io:commons-io:jar:2.11.0:compile
[INFO] +- commons-lang:commons-lang:jar:2.4:compile
[INFO] +- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.apache.commons:commons-vfs2:jar:2.7.0:compile
[INFO] +- org.aspectj:aspectjrt:jar:1.6.6:compile
[INFO] +- javax.jcr:jcr:jar:2.0:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:4.0.1:compile
[INFO] +- com.sun.mail:javax.mail:jar:1.6.1:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] +- cglib:cglib-nodep:jar:2.2:compile
[INFO] +- com.google.guava:guava:jar:17.0:compile
[INFO] +- org.yaml:snakeyaml:jar:1.7:compile
[INFO] +- javax.ws.rs:jsr311-api:jar:1.1.1:compile
[INFO] +- com.sun.jersey.contribs:jersey-multipart:jar:1.19.1:compile
[INFO] +- org.jvnet.mimepull:mimepull:jar:1.9.3:compile
[INFO] +- com.sun.jersey.contribs:jersey-apache-client:jar:1.19.1:compile
[INFO] +- com.sun.jersey.contribs:jersey-spring:jar:1.19.1:compile
[INFO] +- com.sun.jersey:jersey-core:jar:1.19.1:compile
[INFO] +- com.sun.jersey:jersey-json:jar:1.19.1:compile
[INFO] +- org.codehaus.jettison:jettison:jar:1.1:compile
[INFO] +- javax.xml.bind:jaxb-api:jar:2.2.2:compile
[INFO] +- javax.xml.stream:stax-api:jar:1.0-2:compile
[INFO] +- javax.activation:activation:jar:1.1:compile
[INFO] +- com.sun.jersey:jersey-client:jar:1.19.1:compile
[INFO] +- com.sun.jersey:jersey-server:jar:1.19.1:compile
[INFO] +- com.sun.jersey:jersey-servlet:jar:1.19.1:compile
[INFO] +- org.glassfish.metro:webservices-api:jar:2.3.1:compile
[INFO] +- org.glassfish.metro:webservices-rt:jar:2.3.1:compile
[INFO] +- com.google.gwt:gwt-servlet:jar:2.9.0:compile
[INFO] +- org.hibernate:hibernate-core:jar:3.6.9.Final:compile
[INFO] +- org.hibernate:hibernate-ehcache:jar:3.6.0.Final:compile
[INFO] +- org.antlr:antlr-complete:jar:3.5.2:compile
[INFO] +- org.ow2.asm:asm:jar:7.1:compile
[INFO] +- asm:asm-attrs:jar:2.2.3:compile
[INFO] +- javax.transaction:jta:jar:1.1:compile
[INFO] +- net.sf.ehcache:ehcache-core:jar:2.5.1:compile
[INFO] +- cglib:cglib:jar:2.2:compile
[INFO] +- org.apache.jackrabbit:jackrabbit-core:jar:2.16.5:compile
[INFO] |  +- org.apache.jackrabbit:jackrabbit-data:jar:2.16.5:compile
[INFO] |  +- org.apache.tika:tika-core:jar:1.22:compile
[INFO] |  \- org.slf4j:jcl-over-slf4j:jar:1.7.26:compile
[INFO] +- pentaho:pentaho-concurrent:jar:1.0.0:compile
[INFO] +- org.apache.jackrabbit:jackrabbit-api:jar:2.16.5:compile
[INFO] |  \- org.jetbrains:annotations:jar:16.0.3:compile
[INFO] +- org.apache.jackrabbit:jackrabbit-spi:jar:2.16.5:compile
[INFO] +- org.apache.jackrabbit:jackrabbit-spi-commons:jar:2.16.5:compile
[INFO] +- org.apache.jackrabbit:jackrabbit-jcr-commons:jar:2.16.5:compile
[INFO] +- org.springframework:se-jcr:jar:0.9:compile
[INFO] +- org.springframework:spring-beans:jar:5.3.23:compile
[INFO] +- org.springframework:spring-context:jar:5.3.23:compile
[INFO] +- org.springframework:spring-core:jar:5.3.23:compile
[INFO] +- org.springframework.webflow:spring-binding:jar:2.4.8.RELEASE:compile
[INFO] |  \- org.springframework:spring-expression:jar:5.3.23:compile
[INFO] +- org.springframework.security:spring-security-core:jar:5.4.2:compile
[INFO] +- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.apache.derby:derby:jar:10.14.2.0:compile
[INFO] +- org.fontbox:fontbox:jar:0.1.0:compile
[INFO] +- org.jempbox:jempbox:jar:0.2.0:compile
[INFO] +- org.apache.lucene:lucene-core:jar:3.6.0:compile
[INFO] +- net.sourceforge.nekohtml:nekohtml:jar:1.9.15:compile
[INFO] +- org.apache.poi:poi:jar:4.1.1:compile
[INFO] +- org.apache.poi:poi-scratchpad:jar:4.1.1:compile
[INFO] +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] +- commons-codec:commons-codec:jar:1.15:compile
[INFO] +- org.apache.commons:commons-math3:jar:3.6.1:compile
[INFO] +- com.github.virtuald:curvesapi:jar:1.06:compile
[INFO] +- org.apache.commons:commons-compress:jar:1.20:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.12:compile
[INFO] +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] +- jaxen:jaxen:jar:1.1.6:compile
[INFO] +- org.pentaho:pentaho-vfs:jar:1.0:compile
[INFO] +- pentaho:pentaho-connections:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] |  +- com.sun.activation:jakarta.activation:jar:1.2.2:compile
[INFO] |  \- org.dom4j:dom4j:jar:2.1.1:compile
[INFO] +- org.pentaho:pentaho-metadata:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  +- joda-time:joda-time:jar:2.10.2:compile
[INFO] |  +- commons-math:commons-math:jar:1.1:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.9:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] |  +- com.thoughtworks.xstream:xstream:jar:1.4.19:compile
[INFO] |  |  \- io.github.x-stream:mxparser:jar:1.2.2:compile
[INFO] |  |     \- xmlpull:xmlpull:jar:1.1.3.1:compile
[INFO] |  +- org.netbeans:jmi:jar:200507110943:compile
[INFO] |  +- org.netbeans:mdrapi:jar:200507110943:compile
[INFO] |  +- org.netbeans:mof:jar:200507110943:compile
[INFO] |  +- org.netbeans:nbmdr:jar:200507110943-custom:compile
[INFO] |  +- pentaho-kettle:kettle-engine:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  +- pentaho-kettle:kettle-core:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  +- pentaho:pentaho-cwm:jar:1.5.4:compile
[INFO] |  |  +- org.netbeans:jmiutils:jar:200507110943:compile
[INFO] |  |  \- org.netbeans:openide-util:jar:200507110943:compile
[INFO] |  +- org.pentaho.reporting.library:libformula:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  \- org.pentaho.reporting.library:libbase:jar:9.5.0.0-SNAPSHOT:compile
[INFO] +- pentaho:pentaho-platform-api:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  +- org.pentaho:actionsequence-dom:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  +- org.pentaho:commons-xul-core:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  +- org.pentaho:commons-database-model:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  \- pentaho:pentaho-service-coordinator:jar:9.5.0.0-SNAPSHOT:compile
[INFO] +- pentaho:pentaho-platform-core:jar:9.5.0.0-SNAPSHOT:compile
[INFO] |  +- org.apache.xmlgraphics:batik-awt-util:jar:1.9.1:compile
[INFO] |  +- org.apache.xmlgraphics:batik-dom:jar:1.9.1:compile
[INFO] |  +- org.apache.xmlgraphics:batik-svggen:jar:1.9.1:compile
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.3:compile
[INFO] |  +- jfree:jcommon:jar:1.0.14:compile
[INFO] |  +- jfree:jfreechart:jar:1.0.13:compile
[INFO] |  +- org.springframework:spring-jdbc:jar:5.3.23:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.3.23:compile
[INFO] |  +- org.springframework.security:spring-security-ldap:jar:5.4.2:compile
[INFO] |  +- org.springframework.ldap:spring-ldap-core:jar:2.3.2.RELEASE:compile
[INFO] |  +- org.hibernate:hibernate-commons-annotations:jar:3.2.0.Final:compile
[INFO] |  +- org.hibernate.javax.persistence:hibernate-jpa-2.0-api:jar:1.0.1.Final:compile
[INFO] |  +- rhino:js:jar:1.7R1:compile
[INFO] |  \- pentaho:pentaho-versionchecker:jar:9.5.0.0-SNAPSHOT:compile
[INFO] +- org.javassist:javassist:jar:3.20.0-GA:compile
[INFO] +- org.osgi:org.osgi.core:jar:6.0.0:test
[INFO] +- pentaho:pentaho-platform-core:jar:tests:9.5.0.0-SNAPSHOT:test
[INFO] +- org.hamcrest:hamcrest-core:jar:2.2:test
[INFO] |  \- org.hamcrest:hamcrest:jar:2.2:test
[INFO] +- org.hamcrest:hamcrest-library:jar:2.2:test
[INFO] +- junit:junit:jar:4.12:test
[INFO] +- org.mockito:mockito-core:jar:4.0.0:test
[INFO] |  +- net.bytebuddy:byte-buddy:jar:1.11.19:test
[INFO] |  +- net.bytebuddy:byte-buddy-agent:jar:1.11.19:test
[INFO] |  \- org.objenesis:objenesis:jar:3.2:test
[INFO] +- org.mockito:mockito-inline:jar:4.0.0:test
[INFO] +- hsqldb:hsqldb:jar:1.8.0.7:test
[INFO] +- org.springframework:spring-test:jar:5.3.23:test
[INFO] +- com.jayway.jsonpath:json-path:jar:0.8.1:test
[INFO] |  \- net.minidev:json-smart:jar:1.1.1:test
[INFO] +- javax.persistence:persistence-api:jar:1.0:test
[INFO] +- javax.portlet:portlet-api:jar:2.0:test
[INFO] +- javax.servlet.jsp:jsp-api:jar:2.1:test
[INFO] +- javax.servlet:servlet-api:jar:2.5:test
[INFO] +- org.aspectj:aspectjweaver:jar:1.7.2:test
[INFO] +- org.springframework:spring-tx:jar:5.3.23:compile
[INFO] +- org.testng:testng:jar:6.5.2:test
[INFO] |  +- org.beanshell:bsh:jar:2.0b4:test
[INFO] |  \- com.beust:jcommander:jar:1.12:test
[INFO] +- xmlunit:xmlunit:jar:1.3:test
[INFO] +- javax.inject:javax.inject:jar:1:test
[INFO] +- pentaho:simple-jndi:jar:1.0.10:test
[INFO] +- org.quartz-scheduler:quartz:jar:1.7.2:compile
[INFO] +- com.sun.jersey.jersey-test-framework:jersey-test-framework-core:jar:1.19.1:test
[INFO] +- com.h2database:h2:jar:2.1.210:compile
[INFO] \- pentaho-kettle:kettle-core:jar:tests:9.5.0.0-SNAPSHOT:test
[INFO]    +- pentaho:metastore:jar:9.5.0.0-SNAPSHOT:compile
[INFO]    +- org.owasp.encoder:encoder:jar:1.2:compile
[INFO]    +- org.apache.xmlgraphics:batik-bridge:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-css:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-gvt:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-svg-dom:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-transcoder:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-codec:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-util:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-ext:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-xml:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-anim:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-parser:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-script:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-constants:jar:1.9.1:compile
[INFO]    +- org.apache.xmlgraphics:batik-i18n:jar:1.9.1:compile
[INFO]    +- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO]    +- org.eclipse.jetty:jetty-util:jar:9.4.18.v20190429:compile
[INFO]    +- jug-lgpl:jug-lgpl:jar:2.0.0:compile
[INFO]    +- com.jcraft:jsch:jar:0.1.54:compile
[INFO]    +- com.jcraft:jzlib:jar:1.0.7:compile
[INFO]    +- ognl:ognl:jar:2.6.9:compile
[INFO]    +- net.sf.scannotation:scannotation:jar:1.0.2:compile
[INFO]    +- com.wcohen:com.wcohen.secondstring:jar:0.1:compile
[INFO]    +- org.samba.jcifs:jcifs:jar:1.3.3:compile
[INFO]    +- org.apache.tomcat:tomcat-jdbc:jar:8.5.27:compile
[INFO]    |  \- org.apache.tomcat:tomcat-juli:jar:8.5.27:compile
[INFO]    \- org.pentaho:pentaho-encryption-support:jar:9.5.0.0-SNAPSHOT:compile

Suggested solutions:

Please update <httpclient.version>4.5.9</httpclient.version> to 4.5.13 in file pom.xml of project
pantaho / maven-parent-poms to solve the problem.

Thank you very much.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CVEDetect