Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency org.apache.httpcomponents:httpclient, leading to CVE problem #89

Open
CVEDetect opened this issue Nov 23, 2022 · 0 comments
Open

Comments

@CVEDetect
Copy link

Hi, in kettle-sdk-partitioner-plugin/, there is a dependency **org.apache.httpcomponents:httpclient:4.5.9
** that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 10

org.pentaho.di.sdk.samples.partitioners.demo.DemoPartitioner: loadRep(org.pentaho.di.repository.Repository,org.pentaho.di.repository.ObjectId) .m2/repository/org/netbeans/mof/200507110943/mof-200507110943.jar
org.pentaho.di.repository.AbstractRepository: getStepAttributeString(org.pentaho.di.repository.ObjectId,java.lang.String)Ljava.lang.String; .m2/repository/org/eclipse/jetty/jetty-servlet/9.4.18.v20190429/jetty-servlet-9.4.18.v20190429.jar
org.pentaho.di.repository.kdr.KettleDatabaseRepository: getStepAttributeString(org.pentaho.di.repository.ObjectId,int,java.lang.String)Ljava.lang.String; .m2/repository/org/eclipse/jetty/jetty-servlet/9.4.18.v20190429/jetty-servlet-9.4.18.v20190429.jar
org.pentaho.di.repository.kdr.delegates.KettleDatabaseRepositoryConnectionDelegate: getStepAttributeString(org.pentaho.di.repository.ObjectId,int,java.lang.String)Ljava.lang.String; .m2/repository/org/eclipse/jetty/jetty-servlet/9.4.18.v20190429/jetty-servlet-9.4.18.v20190429.jar
org.pentaho.di.repository.kdr.delegates.KettleDatabaseRepositoryConnectionDelegate: getStepAttributeRow(org.pentaho.di.repository.ObjectId,int,java.lang.String)Lorg.pentaho.di.core.RowMetaAndData; .m2/repository/org/eclipse/jetty/jetty-servlet/9.4.18.v20190429/jetty-servlet-9.4.18.v20190429.jar
org.pentaho.di.repository.kdr.delegates.KettleDatabaseRepositoryConnectionDelegate: callRead(java.util.concurrent.Callable)Ljava.lang.Object; .m2/repository/org/eclipse/jetty/jetty-servlet/9.4.18.v20190429/jetty-servlet-9.4.18.v20190429.jar
org.apache.http.impl.client.HttpRequestTaskCallable: call()Ljava.lang.Object; .m2/repository/org/netbeans/mof/200507110943/mof-200507110943.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.client.ResponseHandler,org.apache.http.protocol.HttpContext)Ljava.lang.Object; .m2/repository/org/netbeans/mof/200507110943/mof-200507110943.jar
org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; .m2/repository/org/netbeans/mof/200507110943/mof-200507110943.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;


Dependency tree--

[INFO] +- org.pentaho:pentaho-metadata:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- joda-time:joda-time:jar:2.10.2:provided
[INFO] |  +- commons-lang:commons-lang:jar:2.6:provided
[INFO] |  +- commons-io:commons-io:jar:2.11.0:provided
[INFO] |  +- commons-logging:commons-logging:jar:1.2:provided
[INFO] |  +- commons-math:commons-math:jar:1.1:provided
[INFO] |  +- org.apache.httpcomponents:httpclient:jar:4.5.9:provided
[INFO] |  +- org.apache.httpcomponents:httpcore:jar:4.4.11:provided
[INFO] |  +- org.apache.logging.log4j:log4j-core:jar:2.17.1:provided
[INFO] |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.1:provided
[INFO] |  +- com.thoughtworks.xstream:xstream:jar:1.4.19:provided
[INFO] |  |  \- io.github.x-stream:mxparser:jar:1.2.2:provided
[INFO] |  |     \- xmlpull:xmlpull:jar:1.1.3.1:provided
[INFO] |  +- org.netbeans:jmi:jar:200507110943:provided
[INFO] |  +- org.netbeans:mdrapi:jar:200507110943:provided
[INFO] |  +- org.netbeans:mof:jar:200507110943:provided
[INFO] |  +- org.netbeans:nbmdr:jar:200507110943-custom:provided
[INFO] |  +- pentaho:pentaho-connections:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  |  \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime
[INFO] |  +- pentaho:pentaho-cwm:jar:1.5.4:provided
[INFO] |  |  +- org.netbeans:jmiutils:jar:200507110943:provided
[INFO] |  |  \- org.netbeans:openide-util:jar:200507110943:provided
[INFO] |  +- org.pentaho.reporting.library:libformula:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  \- org.pentaho.reporting.library:libbase:jar:9.5.0.0-SNAPSHOT:provided
[INFO] +- pentaho-kettle:kettle-core:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- pentaho:metastore:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.12:provided
[INFO] |  +- commons-beanutils:commons-beanutils:jar:1.9.3:provided
[INFO] |  +- commons-codec:commons-codec:jar:1.15:provided
[INFO] |  +- com.google.guava:guava:jar:17.0:provided
[INFO] |  +- org.owasp.encoder:encoder:jar:1.2:provided
[INFO] |  +- org.apache.xmlgraphics:batik-bridge:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-css:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-dom:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-gvt:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-svg-dom:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-transcoder:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-codec:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-util:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-ext:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-xml:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-anim:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-parser:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-script:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-awt-util:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-constants:jar:1.9.1:provided
[INFO] |  +- org.apache.xmlgraphics:batik-i18n:jar:1.9.1:provided
[INFO] |  +- xml-apis:xml-apis-ext:jar:1.3.04:provided
[INFO] |  +- commons-collections:commons-collections:jar:3.2.2:provided
[INFO] |  +- org.apache.commons:commons-vfs2:jar:2.7.0:provided
[INFO] |  +- commons-dbcp:commons-dbcp:jar:1.4:provided
[INFO] |  +- commons-pool:commons-pool:jar:1.5.7:provided
[INFO] |  +- org.apache.commons:commons-compress:jar:1.20:provided
[INFO] |  +- org.dom4j:dom4j:jar:2.1.1:provided
[INFO] |  +- org.eclipse.jetty:jetty-util:jar:9.4.18.v20190429:provided
[INFO] |  +- jug-lgpl:jug-lgpl:jar:2.0.0:provided
[INFO] |  +- com.jcraft:jsch:jar:0.1.54:provided
[INFO] |  +- com.jcraft:jzlib:jar:1.0.7:provided
[INFO] |  +- ognl:ognl:jar:2.6.9:provided
[INFO] |  +- net.sf.scannotation:scannotation:jar:1.0.2:provided
[INFO] |  +- com.wcohen:com.wcohen.secondstring:jar:0.1:provided
[INFO] |  +- org.javassist:javassist:jar:3.20.0-GA:provided
[INFO] |  +- org.samba.jcifs:jcifs:jar:1.3.3:provided
[INFO] |  +- pentaho:simple-jndi:jar:1.0.10:provided
[INFO] |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:runtime
[INFO] |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:runtime
[INFO] |  +- org.springframework:spring-expression:jar:5.3.23:provided
[INFO] |  |  \- org.springframework:spring-core:jar:5.3.23:provided
[INFO] |  +- org.apache.tomcat:tomcat-jdbc:jar:8.5.27:provided
[INFO] |  |  \- org.apache.tomcat:tomcat-juli:jar:8.5.27:provided
[INFO] |  \- org.pentaho:pentaho-encryption-support:jar:9.5.0.0-SNAPSHOT:provided
[INFO] +- pentaho-kettle:kettle-engine:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- org.pentaho:pdi-engine-api:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  |  +- javax.websocket:javax.websocket-api:jar:1.0:provided
[INFO] |  |  \- org.reactivestreams:reactive-streams:jar:1.0.0:provided
[INFO] |  +- org.pentaho:pentaho-registry:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- pentaho:mondrian:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  |  +- xml-apis:xml-apis:jar:1.4.01:provided
[INFO] |  |  +- javax.validation:validation-api:jar:1.0.0.GA:provided
[INFO] |  |  +- eigenbase:eigenbase-xom:jar:1.3.5:provided
[INFO] |  |  +- eigenbase:eigenbase-properties:jar:1.1.2:provided
[INFO] |  |  +- eigenbase:eigenbase-resgen:jar:1.3.1:provided
[INFO] |  |  +- xerces:xercesImpl:jar:2.12.0:provided
[INFO] |  |  +- javax.servlet:servlet-api:jar:2.4:provided
[INFO] |  |  +- javax.servlet:jsp-api:jar:2.0:provided
[INFO] |  |  +- javacup:javacup:jar:10k:provided
[INFO] |  |  \- net.java.dev.javacc:javacc:jar:5.0:provided
[INFO] |  +- pentaho:pentaho-platform-api:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  |  +- org.springframework.security:spring-security-core:jar:5.4.2:provided
[INFO] |  |  +- org.springframework:spring-beans:jar:5.3.23:provided
[INFO] |  |  +- org.pentaho:actionsequence-dom:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  |  +- org.pentaho:commons-database-model:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  |  \- pentaho:pentaho-service-coordinator:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- rhino:js:jar:1.7R3:provided
[INFO] |  +- org.antlr:antlr-complete:jar:3.5.2:provided
[INFO] |  +- commons-validator:commons-validator:jar:1.3.1:provided
[INFO] |  +- com.enterprisedt:edtftpj:jar:2.1.0:provided
[INFO] |  +- com.googlecode.jsendnsca:jsendnsca:jar:2.0.1:provided
[INFO] |  +- feed4j:feed4j:jar:1.0:provided
[INFO] |  +- ftp4che:ftp4che:jar:0.7.1:provided
[INFO] |  +- georss-rome:georss-rome:jar:0.9.8:provided
[INFO] |  +- infobright:infobright-core:jar:3.4:provided
[INFO] |  +- org.ini4j:ini4j:jar:0.5.1:provided
[INFO] |  +- org.codehaus.janino:commons-compiler:jar:3.0.8:provided
[INFO] |  +- org.codehaus.janino:janino:jar:3.0.8:provided
[INFO] |  +- javadbf:javadbf:jar:20081125:provided
[INFO] |  +- jfree:jcommon:jar:1.0.16:provided
[INFO] |  +- com.googlecode.json-simple:json-simple:jar:1.1:provided
[INFO] |  +- jsonpath:jsonpath:jar:1.0:provided
[INFO] |  +- com.sun.jersey.contribs:jersey-apache-client4:jar:1.19.1:provided
[INFO] |  +- com.sun.jersey:jersey-bundle:jar:1.19.1:provided
[INFO] |  +- com.sun.jersey:jersey-client:jar:1.19.1:provided
[INFO] |  +- com.sun.jersey:jersey-core:jar:1.19.1:provided
[INFO] |  +- jexcelapi:jxl:jar:2.6.12:provided
[INFO] |  +- ldapjdk:ldapjdk:jar:20000524:provided
[INFO] |  +- monetdb:monetdb-jdbc:jar:2.8:provided
[INFO] |  +- org.odftoolkit:odfdom-java:jar:0.8.6:provided
[INFO] |  +- org.apache.commons:commons-collections4:jar:4.4:provided
[INFO] |  +- org.apache.commons:commons-math3:jar:3.6.1:provided
[INFO] |  +- com.github.virtuald:curvesapi:jar:1.06:provided
[INFO] |  +- org.apache.xmlbeans:xmlbeans:jar:3.1.0:provided
[INFO] |  +- org.postgresql:postgresql:jar:42.2.23:provided
[INFO] |  +- rome:rome:jar:1.0:provided
[INFO] |  +- org.eobjects.sassyreader:SassyReader:jar:0.5:provided
[INFO] |  +- net.sf.saxon:saxon:jar:9.1.0.8:provided
[INFO] |  +- net.sf.saxon:saxon-dom:jar:9.1.0.8:provided
[INFO] |  +- org.yaml:snakeyaml:jar:1.7:provided
[INFO] |  +- org.snmp4j:snmp4j:jar:1.9.3d:provided
[INFO] |  +- org.syslog4j:syslog4j:jar:0.9.46:provided
[INFO] |  +- trilead-ssh2:trilead-ssh2:jar:build213:provided
[INFO] |  +- javax.xml:jaxrpc-api:jar:1.1:provided
[INFO] |  +- org.olap4j:olap4j:jar:1.2.0:provided
[INFO] |  +- org.olap4j:olap4j-xmla:jar:1.2.0:provided
[INFO] |  +- wsdl4j:wsdl4j:jar:1.6.2:provided
[INFO] |  +- wsdl4j:wsdl4j-qname:jar:1.6.1:provided
[INFO] |  +- net.sf.ehcache:ehcache-core:jar:2.5.1:provided
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.9.10:provided
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.10:provided
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.10.2:provided
[INFO] |  +- org.hibernate:hibernate-core:jar:3.6.9.Final:provided
[INFO] |  +- org.hibernate:hibernate-c3p0:jar:3.6.9.Final:provided
[INFO] |  +- org.hibernate:hibernate-commons-annotations:jar:3.2.0.Final:provided
[INFO] |  +- org.hibernate:hibernate-ehcache:jar:3.6.9.Final:provided
[INFO] |  +- cglib:cglib-nodep:jar:2.2:provided
[INFO] |  +- net.sourceforge.nekohtml:nekohtml:jar:1.9.15:provided
[INFO] |  +- com.sun.mail:javax.mail:jar:1.6.1:provided
[INFO] |  |  \- javax.activation:activation:jar:1.1:provided
[INFO] |  +- org.mnode.mstor:mstor:jar:0.9.13:provided
[INFO] |  +- org.xerial.snappy:snappy-java:jar:1.1.0:provided
[INFO] |  +- commons-cli:commons-cli:jar:1.2:provided
[INFO] |  +- org.eclipse.jetty:jetty-jaas:jar:9.4.18.v20190429:provided
[INFO] |  +- org.eclipse.jetty:jetty-server:jar:9.4.18.v20190429:provided
[INFO] |  |  +- javax.servlet:javax.servlet-api:jar:3.1.0:provided
[INFO] |  |  +- org.eclipse.jetty:jetty-http:jar:9.4.18.v20190429:provided
[INFO] |  |  \- org.eclipse.jetty:jetty-io:jar:9.4.18.v20190429:provided
[INFO] |  +- org.eclipse.jetty:jetty-security:jar:9.4.18.v20190429:provided
[INFO] |  +- org.eclipse.jetty:jetty-servlet:jar:9.4.18.v20190429:provided
[INFO] |  +- org.eclipse.jetty:jetty-xml:jar:9.4.18.v20190429:provided
[INFO] |  +- org.eclipse.jetty:jetty-webapp:jar:9.4.18.v20190429:provided
[INFO] |  +- com.googlecode.log4jdbc:log4jdbc:jar:1.2:provided
[INFO] |  +- com.cronutils:cron-utils:jar:9.1.6:provided
[INFO] |  |  \- org.glassfish:javax.el:jar:3.0.0:provided
[INFO] |  +- com.sun.xml.bind:jaxb-impl:jar:2.3.3:runtime
[INFO] |  \- io.reactivex.rxjava2:rxjava:jar:2.2.3:provided
[INFO] +- pentaho-kettle:kettle-ui-swt:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- pentaho-kettle:kettle-dbdialog:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- pentaho:pentaho-vfs-browser:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  |  +- commons-net:commons-net:jar:1.4.1:provided
[INFO] |  |  \- oro:oro:jar:2.0.8:provided
[INFO] |  +- org.pentaho:commons-xul-core:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- org.pentaho:commons-xul-swt:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  |  +- org.eclipse.platform:org.eclipse.jface:jar:3.22.0:provided
[INFO] |  |  |  \- org.eclipse.platform:org.eclipse.swt:jar:3.121.0:provided (version selected from constraint [3.111.0,4.0.0))
[INFO] |  |  +- org.eclipse.platform:org.eclipse.equinox.common:jar:3.14.0:provided
[INFO] |  |  \- org.eclipse.platform:org.eclipse.core.commands:jar:3.9.800:provided
[INFO] |  +- org.pentaho:commons-xul-swing:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- pentaho:pentaho-capability-manager:jar:9.5.0.0-SNAPSHOT:provided
[INFO] |  +- org.eclipse.swt:org.eclipse.swt.gtk.linux.x86_64:jar:4.6:provided
[INFO] |  +- org.eclipse.equinox:common:jar:3.3.0-v20070426:provided
[INFO] |  +- org.eclipse:jface:jar:3.3.0-I20070606-0010:provided
[INFO] |  +- org.eclipse.core:commands:jar:3.3.0-I20070605-0010:provided
[INFO] |  \- jfree:jfreechart:jar:1.0.13:provided
[INFO] +- pentaho-kettle:kettle-engine:jar:tests:9.5.0.0-SNAPSHOT:test
[INFO] +- junit:junit:jar:4.12:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- org.mockito:mockito-all:jar:1.10.19:test

Suggested solutions:

Update dependency version

Thank you very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant