Dependency org.infinispan:infinispan-commons, leading to CVE problem

[CVEDetect]

Hi, In infinispan-quickstart/jboss-as7，there is a dependency org.infinispan:infinispan-commons:6.0.2.Final that calls the risk method.

CVE-2019-10174

The scope of this CVE affected version is [,9.4.17.Final),[10.0.0.Alpha1,10.0.0.Final)

After further analysis, in this project, the main Api called is <org.infinispan.commons.util.ReflectionUtil: java.lang.Object invokeAccessibly(java.lang.Object,java.lang.reflect.Method,java.lang.Object[])>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 7

<org.infinispan.commons.util.ReflectionUtil: java.lang.Object invokeAccessibly(java.lang.Object,java.lang.reflect.Method,java.lang.Object[])>
at <org.infinispan.distribution.group.GroupManagerImpl$GroupMetadataImpl: java.lang.String getGroup(java.lang.Object)> (org.infinispan.distribution.group.GroupManagerImpl$GroupMetadataImpl.java:[46]) in /.m2/repository/org/infinispan/infinispan-core/6.0.2.Final/infinispan-core-6.0.2.Final.jar
at <org.infinispan.distribution.group.GroupManagerImpl: java.lang.String getGroup(java.lang.Object)> (org.infinispan.distribution.group.GroupManagerImpl.java:[76]) in /.m2/repository/org/infinispan/infinispan-core/6.0.2.Final/infinispan-core-6.0.2.Final.jar
at <org.infinispan.distribution.group.GroupingConsistentHash: java.lang.Object getGroupKey(java.lang.Object)> (org.infinispan.distribution.group.GroupingConsistentHash.java:[107]) in /.m2/repository/org/infinispan/infinispan-core/6.0.2.Final/infinispan-core-6.0.2.Final.jar
at <org.infinispan.distribution.group.GroupingConsistentHash: java.util.List locateOwners(java.lang.Object)> (org.infinispan.distribution.group.GroupingConsistentHash.java:[82]) in /.m2/repository/org/infinispan/infinispan-core/6.0.2.Final/infinispan-core-6.0.2.Final.jar
at <org.infinispan.distribution.DistributionManagerImpl: java.util.List locate(java.lang.Object)> (org.infinispan.distribution.DistributionManagerImpl.java:[87]) in /.m2/repository/org/infinispan/infinispan-core/6.0.2.Final/infinispan-core-6.0.2.Final.jar
at <org.infinispan.quickstart.jbossas7.Controller: java.util.List locate()> (org.infinispan.quickstart.jbossas7.Controller.java:[80]) in /detect/unzip/infinispan-quickstart-main/jboss-as7/target/classes

Dependency tree--

[INFO] org.infinispan.quickstart:jboss-as7-quickstart:war:5.0.0-SNAPSHOT
[INFO] +- org.infinispan:infinispan-core:jar:6.0.2.Final:provided
[INFO] |  +- org.infinispan:infinispan-commons:jar:6.0.2.Final:compile
[INFO] |  +- org.jgroups:jgroups:jar:3.4.1.Final:provided
[INFO] |  +- org.jboss.spec.javax.transaction:jboss-transaction-api_1.1_spec:jar:1.0.0.Final:provided
[INFO] |  +- org.jboss.marshalling:jboss-marshalling-river:jar:1.4.4.Final:compile
[INFO] |  +- org.jboss.marshalling:jboss-marshalling:jar:1.4.4.Final:compile
[INFO] |  \- org.jboss.logging:jboss-logging:jar:3.1.2.GA:compile
[INFO] +- org.infinispan:infinispan-cdi:jar:6.0.2.Final:compile
[INFO] |  \- org.infinispan:infinispan-client-hotrod:jar:6.0.2.Final:compile
[INFO] |     \- commons-pool:commons-pool:jar:1.6:compile
[INFO] +- javax.enterprise:cdi-api:jar:1.0-SP4:provided
[INFO] |  +- org.jboss.spec.javax.interceptor:jboss-interceptors-api_1.1_spec:jar:1.0.0.Final:provided
[INFO] |  \- javax.inject:javax.inject:jar:1:provided
[INFO] +- org.jboss.spec.javax.annotation:jboss-annotations-api_1.1_spec:jar:1.0.0.Final:provided
[INFO] +- org.jboss.spec.javax.servlet:jboss-servlet-api_3.0_spec:jar:1.0.0.Final:provided
[INFO] \- org.jboss.spec.javax.ejb:jboss-ejb-api_3.1_spec:jar:1.0.1.Final:provided

Suggested solutions:

Update dependency version

Thank you very much.

[CVEDetect]

@slaskawi Could please help me check this issue? May I pull a request to fix it? Thanks again.