winery Dependency org.apache.commons:commons-configuration2, leading to CVE problem

Dependency org.apache.commons:commons-configuration2, leading to CVE problem

Open CVEDetect opened this issue 2 years ago • 0 comments

Hi, in org.eclipse.winery.common/, there is a dependency org.apache.commons:commons-configuration2:2.3 that calls the risk method.

CVE-2020-1953

The scope of this CVE affected version is [2.2, 2.7)

After further analysis, in this project, the main Api called is org.apache.commons.configuration2.YAMLConfiguration: read(java.io.Reader)

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 2

org.eclipse.winery.common.configuration.UiConfigurationObject: initialize() .m2/repository/org/glassfish/hk2/osgi-resource-locator/1.0.3/osgi-resource-locator-1.0.3.jar
org.apache.commons.configuration2.YAMLConfiguration: read(java.io.InputStream)

Dependency tree--

[INFO] org.eclipse.winery:org.eclipse.winery.common:jar:3.0.0-SNAPSHOT
[INFO] +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- org.yaml:snakeyaml:jar:1.25:compile
[INFO] +- com.fasterxml.jackson.core:jackson-core:jar:2.10.1:compile
[INFO] +- org.glassfish.jaxb:jaxb-runtime:jar:2.4.0-b180830.0438:runtime
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.4.0-b180830.0359:runtime
[INFO] |  +- org.glassfish.jaxb:txw2:jar:2.4.0-b180830.0438:runtime
[INFO] |  +- com.sun.istack:istack-commons-runtime:jar:3.0.7:runtime
[INFO] |  +- org.jvnet.staxex:stax-ex:jar:1.8:runtime
[INFO] |  +- com.sun.xml.fastinfoset:FastInfoset:jar:1.2.15:runtime
[INFO] |  \- javax.activation:javax.activation-api:jar:1.2.0:runtime
[INFO] +- org.glassfish.jersey.media:jersey-media-json-jackson:jar:2.30.1:compile
[INFO] |  +- org.glassfish.jersey.core:jersey-common:jar:2.30.1:compile
[INFO] |  |  +- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
[INFO] |  |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  |  +- org.glassfish.hk2.external:jakarta.inject:jar:2.6.1:compile
[INFO] |  |  +- org.glassfish.hk2:osgi-resource-locator:jar:1.0.3:compile
[INFO] |  |  \- com.sun.activation:jakarta.activation:jar:1.2.1:compile
[INFO] |  +- org.glassfish.jersey.ext:jersey-entity-filtering:jar:2.30.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.10.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.10.1:compile
[INFO] |  \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.10.1:compile
[INFO] |     +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:compile
[INFO] |     \- jakarta.activation:jakarta.activation-api:jar:1.2.1:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
[INFO] +- jstl:jstl:jar:1.2:compile
[INFO] +- commons-io:commons-io:jar:2.4:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.7:compile
[INFO] +- org.apache.commons:commons-configuration2:jar:2.3:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- de.danielbechler:java-object-diff:jar:0.95:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.3:test
[INFO] |  \- ch.qos.logback:logback-core:jar:1.2.3:test
[INFO] +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
[INFO] |  +- org.opentest4j:opentest4j:jar:1.2.0:test
[INFO] |  +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
[INFO] |  \- org.apiguardian:apiguardian-api:jar:1.1.2:test
[INFO] +- io.github.adr:e-adr:jar:1.0.0:compile
[INFO] \- org.eclipse.jdt:org.eclipse.jdt.annotation:jar:2.1.0:compile

Suggested solutions:

Update dependency version

Thank you very much.

Nov 23 '22 09:11 CVEDetect

winery winery copied to clipboard

Dependency org.apache.commons:commons-configuration2, leading to CVE problem

winery
winery copied to clipboard