Skip to content

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #94

Closed
Closed
Dependency org.apache.httpcomponents:httpclient, leading to CVE problem#94
@CVEDetect

Description

@CVEDetect
CVEDetect
opened on Nov 4, 2022

Hi, there is a dependency org.apache.httpcomponents:httpclient:4.5.1 that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 4

com.aliyun.openservices.log.http.comm.TimeoutServiceClient$HttpRequestTask:call()Lorg.apache.http.client.methods.CloseableHttpResponse; .m2/repository/org/apache/httpcomponents/httpclient/4.5.1/httpclient-4.5.1.jar
org.apache.http.impl.client.CloseableHttpClient:execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse;.m2/repository/org/apache/httpcomponents/httpclient/4.5.1/httpclient-4.5.1.jar
org.apache.http.impl.client.CloseableHttpClient:determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/org/apache/httpcomponents/httpclient/4.5.1/httpclient-4.5.1.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] com.aliyun.openservices:aliyun-log:jar:0.6.75
[INFO] +- junit:junit:jar:4.10:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.1:test
[INFO] +- com.alibaba:fastjson:jar:1.2.83_noneautotype:compile
[INFO] +- com.google.protobuf:protobuf-java:jar:2.5.0:compile
[INFO] +- net.jpountz.lz4:lz4:jar:1.3.0:compile
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.1:compile
[INFO]    +- org.apache.httpcomponents:httpcore:jar:4.4.3:compile
[INFO]    +- commons-logging:commons-logging:jar:1.2:compile
[INFO]    \- commons-codec:commons-codec:jar:1.9:compile

Suggested solutions:

Update dependency version

Thank you very much.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions