cs-actions Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

Open CVEDetect opened this issue 2 years ago • 0 comments

Hi, In /cs-abbyy，there is a dependency **org.apache.httpcomponents:httpclient:jar:4.5.5 ** that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

io.cloudslang.content.abbyy.http.HttpClient: execute(io.cloudslang.content.abbyy.entities.requests.HttpRequest)Lio.cloudslang.content.abbyy.entities.responses.HttpClientResponse; /.m2/repository/javax/xml/jaxp-api/1.4.2/jaxp-api-1.4.2.jar
io.cloudslang.content.httpclient.actions.HttpClientAction: execute(java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,java.lang.String,com.hp.oo.sdk.content.plugin.SerializableSessionObject,com.hp.oo.sdk.content.plugin.GlobalSessionObject)Ljava.util.Map; /.m2/repository/jcifs/jcifs/1.3.17/jcifs-1.3.17.jar
io.cloudslang.content.httpclient.services.HttpClientService: execute(io.cloudslang.content.httpclient.entities.HttpClientInputs)Ljava.util.Map; /.m2/repository/jcifs/jcifs/1.3.17/jcifs-1.3.17.jar
io.cloudslang.content.httpclient.services.HttpClientService: execute(org.apache.http.impl.client.CloseableHttpClient,org.apache.http.client.methods.HttpRequestBase,org.apache.http.client.protocol.HttpClientContext)Lorg.apache.http.client.methods.CloseableHttpResponse; /.m2/repository/jcifs/jcifs/1.3.17/jcifs-1.3.17.jar
io.cloudslang.content.httpclient.execute.HttpClientExecutor: execute()Lorg.apache.http.client.methods.CloseableHttpResponse; /.m2/repository/jcifs/jcifs/1.3.17/jcifs-1.3.17.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse; /.m2/repository/jcifs/jcifs/1.3.17/jcifs-1.3.17.jar
org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; /.m2/repository/jcifs/jcifs/1.3.17/jcifs-1.3.17.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] io.cloudslang.content:cs-abbyy:jar:0.0.4-SNAPSHOT
[INFO] +- javax.xml:jaxp-api:jar:1.4.2:compile
[INFO] +- com.hp.score.sdk:score-content-sdk:jar:1.10.7:compile
[INFO] +- io.cloudslang.content:cs-commons:jar:0.0.5:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] |  \- org.jetbrains:annotations:jar:15.0:compile
[INFO] +- commons-io:commons-io:jar:2.5:compile
[INFO] +- io.cloudslang.content:cs-http-client:jar:0.1.77:compile
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.5:compile
[INFO] |  |  +- commons-logging:commons-logging:jar:1.2:compile
[INFO] |  |  \- commons-codec:commons-codec:jar:1.10:compile
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.9:compile
[INFO] |  +- org.apache.httpcomponents:httpmime:jar:4.5.5:compile
[INFO] |  \- jcifs:jcifs:jar:1.3.17:compile
[INFO] |     \- javax.servlet:servlet-api:jar:2.4:compile
[INFO] +- junit:junit:jar:4.13.1:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.mockito:mockito-all:jar:1.10.19:test
[INFO] +- org.powermock:powermock-module-junit4:jar:1.6.5:test
[INFO] |  \- org.powermock:powermock-module-junit4-common:jar:1.6.5:test
[INFO] |     +- org.powermock:powermock-core:jar:1.6.5:test
[INFO] |     |  \- org.javassist:javassist:jar:3.20.0-GA:test
[INFO] |     \- org.powermock:powermock-reflect:jar:1.6.5:test
[INFO] \- org.powermock:powermock-api-mockito:jar:1.6.5:test
[INFO]    +- org.mockito:mockito-core:jar:1.10.19:test
[INFO]    |  \- org.objenesis:objenesis:jar:2.1:test
[INFO]    \- org.powermock:powermock-api-mockito-common:jar:1.6.5:test
[INFO]       \- org.powermock:powermock-api-support:jar:1.6.5:test

Suggested solutions:

Update dependency version

Thank you very much.

Feb 03 '23 09:02 CVEDetect

cs-actions cs-actions copied to clipboard

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

cs-actions
cs-actions copied to clipboard