biubiu
biubiu copied to clipboard
Dependency org.hibernate:hibernate-core, leading to CVE problem
Hi, In biubiu,there is a dependency org.hibernate:hibernate-core:4.3.8.Final that calls the risk method.
The scope of this CVE affected version is [,5.4.24.Final)
After further analysis, in this project, the main Api called is <org.hibernate.sql.Insert: java.lang.String toStatementString()>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 7
<org.hibernate.sql.Insert: java.lang.String toStatementString()>
at <org.hibernate.persister.entity.AbstractEntityPersister: java.lang.String generateIdentityInsertString(boolean[])> (org.hibernate.persister.entity.AbstractEntityPersister.java:[2790]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <org.hibernate.persister.entity.AbstractEntityPersister: void doLateInit()> (org.hibernate.persister.entity.AbstractEntityPersister.java:[4012]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <org.hibernate.persister.entity.AbstractEntityPersister: void postInstantiate()> (org.hibernate.persister.entity.AbstractEntityPersister.java:[4015]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <org.hibernate.internal.SessionFactoryImpl: void <init>(org.hibernate.cfg.Configuration,org.hibernate.engine.spi.Mapping,org.hibernate.service.ServiceRegistry,org.hibernate.cfg.Settings,org.hibernate.SessionFactoryObserver)> (org.hibernate.internal.SessionFactoryImpl.java:[481]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <org.hibernate.cfg.Configuration: org.hibernate.SessionFactory buildSessionFactory(org.hibernate.service.ServiceRegistry)> (org.hibernate.cfg.Configuration.java:[1859]) in /.m2/repository/org/hibernate/hibernate-core/4.3.8.Final/hibernate-core-4.3.8.Final.jar
at <com.utils.HibernateUtils: void <clinit>()> (com.utils.HibernateUtils.java:[33]) in /detect/unzip/biubiu-master/target/classes
Dependency tree--
[INFO] com:biubiu:war:1.0-SNAPSHOT
[INFO] +- org.apache.tomcat:tomcat-servlet-api:jar:8.5.15:provided
[INFO] +- org.apache.tomcat:tomcat-jsp-api:jar:8.5.15:provided
[INFO] | \- org.apache.tomcat:tomcat-el-api:jar:8.5.15:provided
[INFO] +- org.apache.tomcat:tomcat-websocket:jar:8.5.15:provided
[INFO] | +- org.apache.tomcat:tomcat-juli:jar:8.5.15:provided
[INFO] | \- org.apache.tomcat:tomcat-util:jar:8.5.15:provided
[INFO] +- org.apache.tomcat:tomcat-websocket-api:jar:8.5.15:provided
[INFO] +- javax.servlet:jstl:jar:1.2:compile
[INFO] +- org.apache.struts:struts2-core:jar:2.3.34:compile
[INFO] | +- org.apache.struts.xwork:xwork-core:jar:2.3.34:compile
[INFO] | | +- asm:asm:jar:3.3:compile
[INFO] | | \- asm:asm-commons:jar:3.3:compile
[INFO] | | \- asm:asm-tree:jar:3.3:compile
[INFO] | +- org.freemarker:freemarker:jar:2.3.22:compile
[INFO] | +- ognl:ognl:jar:3.0.21:compile
[INFO] | +- commons-fileupload:commons-fileupload:jar:1.3.2:compile
[INFO] | \- commons-io:commons-io:jar:2.2:compile
[INFO] +- net.sf.json-lib:json-lib:jar:jdk15:2.4:compile
[INFO] | +- commons-beanutils:commons-beanutils:jar:1.8.0:compile
[INFO] | +- commons-collections:commons-collections:jar:3.2.1:compile
[INFO] | +- commons-lang:commons-lang:jar:2.5:compile
[INFO] | +- commons-logging:commons-logging:jar:1.1.1:compile
[INFO] | \- net.sf.ezmorph:ezmorph:jar:1.0.6:compile
[INFO] +- org.apache.struts:struts2-json-plugin:jar:2.3.24:compile
[INFO] | \- org.apache.commons:commons-lang3:jar:3.2:compile
[INFO] +- org.hibernate:hibernate-core:jar:4.3.8.Final:compile
[INFO] | +- org.jboss.logging:jboss-logging:jar:3.1.3.GA:compile
[INFO] | +- org.jboss.logging:jboss-logging-annotations:jar:1.2.0.Beta1:compile
[INFO] | +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:jar:1.0.0.Final:compile
[INFO] | +- dom4j:dom4j:jar:1.6.1:compile
[INFO] | | \- xml-apis:xml-apis:jar:1.0.b2:compile
[INFO] | +- org.hibernate.common:hibernate-commons-annotations:jar:4.0.5.Final:compile
[INFO] | +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO] | +- org.javassist:javassist:jar:3.18.1-GA:compile
[INFO] | +- antlr:antlr:jar:2.7.7:compile
[INFO] | \- org.jboss:jandex:jar:1.1.0.Final:compile
[INFO] +- org.hibernate:hibernate-proxool:jar:4.3.8.Final:compile
[INFO] | \- proxool:proxool:jar:0.8.3:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.7:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.0:compile
[INFO] +- ch.qos.logback:logback-core:jar:1.2.0:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.16:compile
[INFO] | \- com.google.protobuf:protobuf-java:jar:3.6.1:compile
[INFO] \- com.qcloud:cos_api:jar:4.4:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.1:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.3:compile
[INFO] +- org.apache.httpcomponents:httpmime:jar:4.5.1:compile
[INFO] +- org.json:json:jar:20140107:compile
[INFO] +- commons-codec:commons-codec:jar:1.9:compile
[INFO] \- junit:junit:jar:4.12:compile
[INFO] \- org.hamcrest:hamcrest-core:jar:1.3:compile
Suggested solutions:
Update dependency version to 5.4.24.Final
Thank you very much.
@coderzc Could please help me check this issue? May I pull a request to fix it? Thanks again.