WMS icon indicating copy to clipboard operation
WMS copied to clipboard

Published 20 hours ago verified publisher icon Bbbzhao

Dependency org.apache.poi:poi-ooxml, leading to CVE problem

Open CVEDetect opened this issue 4 years ago • 1 comments

Hi, In WMS,there is a dependency org.apache.poi:poi-ooxml:3.15-beta2 that calls the risk method.

CVE-2019-12415

The scope of this CVE affected version is [,4.1.0)

After further analysis, in this project, the main Api called is <org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 2

<org.apache.poi.xssf.streaming.SXSSFCell: java.lang.String getStringCellValue()>
at <com.ken.wms.common.util.ExcelUtil: java.util.List excelReader(java.lang.Class,org.springframework.web.multipart.MultipartFile)> (com.ken.wms.common.util.ExcelUtil.java:[133]) in /detect/unzip/WMS-master/target/classes

Dependency tree--

[INFO] com.ken:WMS:war:1.0-SNAPSHOT
[INFO] +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
[INFO] +- javax.servlet.jsp:javax.servlet.jsp-api:jar:2.3.3:provided
[INFO] +- junit:junit:jar:4.12:compile
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:compile
[INFO] +- aopalliance:aopalliance:jar:1.0:compile
[INFO] +- org.aspectj:aspectjweaver:jar:1.8.0:compile
[INFO] +- commons-fileupload:commons-fileupload:jar:1.3.3:compile
[INFO] +- commons-io:commons-io:jar:2.1:compile
[INFO] +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] +- org.apache.commons:commons-configuration2:jar:2.1:compile
[INFO] |  \- org.apache.commons:commons-lang3:jar:3.3.2:compile
[INFO] +- org.apache.poi:poi:jar:3.15-beta2:compile
[INFO] |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] +- org.apache.poi:poi-excelant:jar:3.15-beta2:compile
[INFO] |  \- org.apache.ant:ant:jar:1.8.2:compile
[INFO] |     \- org.apache.ant:ant-launcher:jar:1.8.2:compile
[INFO] +- org.apache.poi:poi-ooxml:jar:3.15-beta2:compile
[INFO] |  \- com.github.virtuald:curvesapi:jar:1.04:compile
[INFO] +- org.apache.poi:poi-ooxml-schemas:jar:3.15-beta2:compile
[INFO] |  \- org.apache.xmlbeans:xmlbeans:jar:2.6.0:compile
[INFO] |     \- stax:stax-api:jar:1.0.1:compile
[INFO] +- org.apache.poi:poi-scratchpad:jar:3.15-beta2:compile
[INFO] +- org.mybatis:mybatis:jar:3.4.0:compile
[INFO] +- org.mybatis:mybatis-spring:jar:1.3.0:compile
[INFO] +- com.github.pagehelper:pagehelper:jar:4.1.6:compile
[INFO] |  \- com.github.jsqlparser:jsqlparser:jar:0.9.5:compile
[INFO] +- org.springframework:spring-aop:jar:4.3.17.RELEASE:compile
[INFO] +- org.springframework:spring-beans:jar:4.3.17.RELEASE:compile
[INFO] +- org.springframework:spring-context:jar:4.3.17.RELEASE:compile
[INFO] +- org.springframework:spring-core:jar:4.3.19.RELEASE:compile
[INFO] +- org.springframework:spring-expression:jar:4.3.17.RELEASE:compile
[INFO] +- org.springframework:spring-jdbc:jar:4.3.17.RELEASE:compile
[INFO] +- org.springframework:spring-orm:jar:4.3.17.RELEASE:compile
[INFO] +- org.springframework:spring-tx:jar:4.3.17.RELEASE:compile
[INFO] +- org.springframework:spring-web:jar:4.3.17.RELEASE:compile
[INFO] +- org.springframework:spring-webmvc:jar:4.3.17.RELEASE:compile
[INFO] +- org.apache.shiro:shiro-all:jar:1.3.2:compile
[INFO] |  \- org.apache.shiro:shiro-guice:jar:1.3.2:compile
[INFO] |     +- org.apache.shiro:shiro-core:jar:1.3.2:compile
[INFO] |     +- com.google.inject:guice:jar:3.0:compile
[INFO] |     |  \- javax.inject:javax.inject:jar:1:compile
[INFO] |     \- com.google.inject.extensions:guice-multibindings:jar:3.0:compile
[INFO] +- net.sf.ehcache:ehcache:jar:2.10.2:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.49:compile
[INFO] +- com.mchange:c3p0:jar:0.9.5.4:compile
[INFO] |  \- com.mchange:mchange-commons-java:jar:0.2.15:compile
[INFO] +- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] +- org.slf4j:slf4j-log4j12:jar:1.7.21:compile
[INFO] +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.10:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:compile
[INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.9.10.5:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect avatar Sep 07 '21 10:09 CVEDetect

@Bbbzhao Could please help me check this issue? May I pull a request to fix it? Thanks again.

CVEDetect avatar Sep 07 '21 10:09 CVEDetect