Hi, In zms-1.0.0/zms-common,there is a dependency org.apache.httpcomponents:httpclient:4.5.2 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <com.zto.zms.utils.HttpClient: java.lang.String post(java.lang.String,java.lang.String,int,int)> (com.zto.zms.utils.HttpClient.java:[87]) in /detect/unzip/zms-1.0.0/zms-common/target/classes
Dependency tree--
[INFO] com.zto.zms:zms-common:jar:1.0.0.RELEASE
[INFO] +- io.springside:springside-utils:jar:5.0.0-RC1:compile
[INFO] | +- com.google.guava:guava:jar:20.0:compile
[INFO] | \- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.26:compile
[INFO] +- org.apache.kafka:kafka-clients:jar:2.2.1:compile
[INFO] | +- com.github.luben:zstd-jni:jar:1.3.8-1:compile
[INFO] | +- org.lz4:lz4-java:jar:1.5.0:compile
[INFO] | \- org.xerial.snappy:snappy-java:jar:1.1.7.2:compile
[INFO] +- org.apache.kafka:kafka_2.11:jar:2.2.1:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile
[INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.9:compile
[INFO] | +- net.sf.jopt-simple:jopt-simple:jar:5.0.4:compile
[INFO] | +- com.yammer.metrics:metrics-core:jar:2.2.0:compile
[INFO] | +- org.scala-lang:scala-library:jar:2.11.12:compile
[INFO] | +- org.scala-lang:scala-reflect:jar:2.11.12:compile
[INFO] | +- com.typesafe.scala-logging:scala-logging_2.11:jar:3.9.0:compile
[INFO] | +- com.101tec:zkclient:jar:0.11:compile
[INFO] | \- org.apache.zookeeper:zookeeper:jar:3.4.13:compile
[INFO] | \- org.apache.yetus:audience-annotations:jar:0.5.0:compile
[INFO] +- org.apache.rocketmq:rocketmq-client:jar:4.1.0-incubating:compile
[INFO] | \- org.apache.rocketmq:rocketmq-common:jar:4.1.0-incubating:compile
[INFO] | \- org.apache.rocketmq:rocketmq-remoting:jar:4.1.0-incubating:compile
[INFO] | \- io.netty:netty-all:jar:4.1.36.Final:compile
[INFO] +- org.apache.rocketmq:rocketmq-tools:jar:4.1.0-incubating:compile
[INFO] | +- org.apache.rocketmq:rocketmq-store:jar:4.1.0-incubating:compile
[INFO] | | \- net.java.dev.jna:jna:jar:4.5.2:compile
[INFO] | +- org.apache.rocketmq:rocketmq-srvutil:jar:4.1.0-incubating:compile
[INFO] | | \- commons-cli:commons-cli:jar:1.2:compile
[INFO] | +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] | \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.67:compile
[INFO] +- org.ini4j:ini4j:jar:0.5.4:compile
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] +- commons-logging:commons-logging:jar:1.2:compile
[INFO] \- commons-codec:commons-codec:jar:1.11:compile
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In zms-1.0.0/zms-common,there is a dependency org.apache.httpcomponents:httpclient:4.5.2 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.