tcSlackBuildNotifier
tcSlackBuildNotifier copied to clipboard
Published
20 hours ago •
PeteGoo
PeteGoo
Dependency org.apache.httpcomponents:httpclient, leading to CVE problem
Hi, In tcSlackBuildNotifier/tcslackbuildnotifier-core,there is a dependency org.apache.httpcomponents:httpclient:4.3.5 that calls the risk method.
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpHost getHttpHost(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[134]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.3.5/httpclient-4.3.5.jar
at <org.apache.http.impl.client.DecompressingHttpClient: org.apache.http.HttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.DecompressingHttpClient.java:[120]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.3.5/httpclient-4.3.5.jar
at <slacknotifications.SlackNotificationImpl: void postViaWebHook()> (slacknotifications.SlackNotificationImpl.java:[246]) in /detect/unzip/tcSlackBuildNotifier-1.4.7/tcslackbuildnotifier-core/target/classes
at <slacknotifications.SlackNotificationImpl: void post()> (slacknotifications.SlackNotificationImpl.java:[157]) in /detect/unzip/tcSlackBuildNotifier-1.4.7/tcslackbuildnotifier-core/target/classes
Dependency tree--
[INFO] petegoo.teamcity.plugins.tcslacknotifications:tcslackbuildnotifier-core:jar:1.4.7
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.3.5:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.3.2:compile
[INFO] | +- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] | \- commons-codec:commons-codec:jar:1.6:compile
[INFO] +- commons-io:commons-io:jar:1.4:provided
[INFO] +- org.jdom:jdom:jar:1.1:provided
[INFO] +- com.jetbrains.teamcity:server-api:jar:8.0.0:provided
[INFO] +- com.jetbrains.teamcity:runtime-util:jar:7.1.0:provided
[INFO] +- com.jetbrains.teamcity:common-api:jar:8.0.0:provided
[INFO] +- com.intellij:openapi:jar:7.0.3:provided
[INFO] | +- com.intellij:annotations:jar:7.0.3:provided
[INFO] | \- com.intellij:extensions:jar:7.0.3:provided
[INFO] +- com.jetbrains.teamcity:annotations:jar:7.1.0:provided
[INFO] +- javax.servlet:servlet-api:jar:2.5:provided
[INFO] +- org.springframework:spring:jar:2.0.1:provided
[INFO] +- com.thoughtworks.xstream:xstream:jar:1.3.1:provided
[INFO] | \- xpp3:xpp3_min:jar:1.1.4c:provided
[INFO] +- com.google.code.gson:gson:jar:2.2.4:compile
[INFO] +- org.codehaus.jettison:jettison:jar:1.1:provided
[INFO] | \- stax:stax-api:jar:1.0.1:provided
[INFO] \- commons-beanutils:commons-beanutils:jar:1.8.3:provided
Suggested solutions:
Update dependency version
Thank you very much.
@marvin-w Could please help me check this issue? May I pull a request to fix it? Thanks again.