vertx-guide-for-java-devs icon indicating copy to clipboard operation
vertx-guide-for-java-devs copied to clipboard

Published 20 hours ago verified publisher icon vert-x3

Dependency io.vertx:vertx-core, leading to CVE problem

Open CVEDetect opened this issue 4 years ago • 2 comments
trafficstars

Hi, In vertx-guide-for-java-devs/step-3,there is a dependency io.vertx:vertx-core:3.8.2 that calls the risk method.

CVE-2019-17640

The scope of this CVE affected version is [4.0.0.Final, 4.1.59.Final)

After further analysis, in this project, the main Api called is <io.vertx.core.eventbus.impl.EventBusImpl: io.vertx.core.eventbus.ReplyException deliverMessageLocally(io.vertx.core.eventbus.impl.MessageImpl)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

<io.vertx.core.eventbus.impl.EventBusImpl: io.vertx.core.eventbus.ReplyException deliverMessageLocally(io.vertx.core.eventbus.impl.MessageImpl)>
at <io.vertx.core.eventbus.impl.EventBusImpl: void deliverMessageLocally(io.vertx.core.eventbus.impl.EventBusImpl$OutboundDeliveryContext)> (io.vertx.core.eventbus.impl.EventBusImpl.java:[361]) in /.m2/repository/io/vertx/vertx-core/3.8.2/vertx-core-3.8.2.jar
at <io.vertx.core.eventbus.impl.EventBusImpl: void sendOrPub(io.vertx.core.eventbus.impl.EventBusImpl$OutboundDeliveryContext)> (io.vertx.core.eventbus.impl.EventBusImpl.java:[332]) in /.m2/repository/io/vertx/vertx-core/3.8.2/vertx-core-3.8.2.jar
at <io.vertx.core.eventbus.impl.EventBusImpl$OutboundDeliveryContext: void next()> (io.vertx.core.eventbus.impl.EventBusImpl$OutboundDeliveryContext.java:[496]) in /.m2/repository/io/vertx/vertx-core/3.8.2/vertx-core-3.8.2.jar
at <io.vertx.core.eventbus.impl.EventBusImpl: void sendOrPubInternal(io.vertx.core.eventbus.impl.MessageImpl,io.vertx.core.eventbus.DeliveryOptions,io.vertx.core.Handler)> (io.vertx.core.eventbus.impl.EventBusImpl.java:[453]) in /.m2/repository/io/vertx/vertx-core/3.8.2/vertx-core-3.8.2.jar
at <io.vertx.core.eventbus.impl.EventBusImpl: io.vertx.core.eventbus.EventBus send(java.lang.String,java.lang.Object,io.vertx.core.eventbus.DeliveryOptions,io.vertx.core.Handler)> (io.vertx.core.eventbus.impl.EventBusImpl.java:[111]) in /.m2/repository/io/vertx/vertx-core/3.8.2/vertx-core-3.8.2.jar
at <io.vertx.core.eventbus.EventBus: io.vertx.core.eventbus.EventBus request(java.lang.String,java.lang.Object,io.vertx.core.eventbus.DeliveryOptions,io.vertx.core.Handler)> (io.vertx.core.eventbus.EventBus.java:[119]) in /.m2/repository/io/vertx/vertx-core/3.8.2/vertx-core-3.8.2.jar
at <io.vertx.guides.wiki.database.WikiDatabaseServiceVertxEBProxy: io.vertx.guides.wiki.database.WikiDatabaseService savePage(int,java.lang.String,io.vertx.core.Handler)> (io.vertx.guides.wiki.database.WikiDatabaseServiceVertxEBProxy.java:[138]) in /detect/unzip/vertx-guide-for-java-devs-3.8/step-3/target/classes

Dependency tree--

[INFO] io.vertx:wiki-step-3:jar:1.5.0
[INFO] +- io.vertx:vertx-core:jar:3.8.2:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.39.Final:compile
[INFO] |  |  \- io.netty:netty-codec:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-handler-proxy:jar:4.1.39.Final:compile
[INFO] |  |  \- io.netty:netty-codec-socks:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-codec-http:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-codec-http2:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-resolver:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-resolver-dns:jar:4.1.39.Final:compile
[INFO] |  |  \- io.netty:netty-codec-dns:jar:4.1.39.Final:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.1:compile
[INFO] |     \- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.9:compile
[INFO] +- io.vertx:vertx-service-proxy:jar:3.8.2:compile
[INFO] +- io.vertx:vertx-web:jar:3.8.2:compile
[INFO] |  +- io.vertx:vertx-web-common:jar:3.8.2:compile
[INFO] |  +- io.vertx:vertx-auth-common:jar:3.8.2:compile
[INFO] |  \- io.vertx:vertx-bridge-common:jar:3.8.2:compile
[INFO] +- io.vertx:vertx-web-templ-freemarker:jar:3.8.2:compile
[INFO] |  \- org.freemarker:freemarker:jar:2.3.28:compile
[INFO] +- com.github.rjeschke:txtmark:jar:0.13:compile
[INFO] +- io.vertx:vertx-jdbc-client:jar:3.8.2:compile
[INFO] |  +- io.vertx:vertx-sql-common:jar:3.8.2:compile
[INFO] |  \- com.mchange:c3p0:jar:0.9.5.4:compile
[INFO] |     \- com.mchange:mchange-commons-java:jar:0.2.15:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  +- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- org.hsqldb:hsqldb:jar:2.5.0:compile
[INFO] +- io.vertx:vertx-codegen:jar:3.8.2:provided
[INFO] |  \- org.mvel:mvel2:jar:2.3.1.Final:provided

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect avatar Oct 06 '21 03:10 CVEDetect

@jponge Could please help me check this issue? May I pull a request to fix it? Thanks again.

CVEDetect avatar Oct 06 '21 03:10 CVEDetect

You may open a PR to the latest 3.9 versions.

Note that this project is not actively maintained these days.

jponge avatar Oct 06 '21 07:10 jponge