Hi, In pacbot/jobs/pacman-qualys-enricher,there is a dependency org.apache.httpcomponents:httpclient:4.5.2 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
<org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.HttpHost determineTarget(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[92]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)> (org.apache.http.impl.client.CloseableHttpClient.java:[82]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <org.apache.http.impl.client.CloseableHttpClient: org.apache.http.client.methods.CloseableHttpResponse execute(org.apache.http.client.methods.HttpUriRequest)> (org.apache.http.impl.client.CloseableHttpClient.java:[107]) in /.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
at <com.tmobile.cso.pacman.qualys.util.HttpUtil: java.lang.String post(java.lang.String,java.lang.String,java.lang.String,java.lang.String)> (com.tmobile.cso.pacman.qualys.util.HttpUtil.java:[112]) in /detect/unzip/pacbot-2.0/jobs/pacman-qualys-enricher/target/classes
Dependency tree--
[INFO] com.tmobile.cso.pacman:pacman-qualys-enricher:jar:0.0.1-SNAPSHOT
[INFO] +- org.elasticsearch.client:rest:jar:5.3.0:compile
[INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.2:compile
[INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.5:compile
[INFO] | +- org.apache.httpcomponents:httpasyncclient:jar:4.1.2:compile
[INFO] | +- org.apache.httpcomponents:httpcore-nio:jar:4.4.5:compile
[INFO] | +- commons-codec:commons-codec:jar:1.10:compile
[INFO] | \- commons-logging:commons-logging:jar:1.1.3:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] +- mysql:mysql-connector-java:jar:5.1.17:compile
[INFO] +- com.google.code.gson:gson:jar:2.8.5:compile
[INFO] +- com.google.guava:guava:jar:18.0:compile
[INFO] +- commons-httpclient:commons-httpclient:jar:3.1:compile
[INFO] \- com.tmobile.cloud:batch-commons:jar:1.0.0-SNAPSHOT:provided
[INFO] +- com.microsoft.azure:azure:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-client-runtime:jar:1.6.4:provided
[INFO] | | \- com.microsoft.rest:client-runtime:jar:1.6.4:provided
[INFO] | | +- com.squareup.retrofit2:retrofit:jar:2.4.0:provided
[INFO] | | +- com.squareup.okhttp3:okhttp:jar:3.11.0:provided
[INFO] | | | \- com.squareup.okio:okio:jar:1.14.0:provided
[INFO] | | +- com.squareup.okhttp3:logging-interceptor:jar:3.11.0:provided
[INFO] | | +- com.squareup.okhttp3:okhttp-urlconnection:jar:3.11.0:provided
[INFO] | | +- com.squareup.retrofit2:converter-jackson:jar:2.4.0:provided
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-joda:jar:2.9.4:provided
[INFO] | | +- org.apache.commons:commons-lang3:jar:3.4:provided
[INFO] | | \- com.squareup.retrofit2:adapter-rxjava:jar:2.4.0:provided
[INFO] | +- com.microsoft.azure:azure-client-authentication:jar:1.6.4:provided
[INFO] | | +- com.microsoft.azure:adal4j:jar:1.6.2:provided
[INFO] | | | \- com.nimbusds:oauth2-oidc-sdk:jar:5.64.4:provided
[INFO] | | | +- com.sun.mail:javax.mail:jar:1.6.1:provided
[INFO] | | | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:provided
[INFO] | | | +- net.minidev:json-smart:jar:2.3:provided (version selected from constraint [1.3.1,2.3])
[INFO] | | | | \- net.minidev:accessors-smart:jar:1.2:provided
[INFO] | | | | \- org.ow2.asm:asm:jar:5.0.4:provided
[INFO] | | | +- com.nimbusds:lang-tag:jar:1.5:provided (version selected from constraint [1.4.3,))
[INFO] | | | \- com.nimbusds:nimbus-jose-jwt:jar:9.13:provided (version selected from constraint [5.5,))
[INFO] | | \- com.microsoft.azure:azure-annotations:jar:1.7.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-resources:jar:1.22.0:provided
[INFO] | | \- io.reactivex:rxjava:jar:1.3.8:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-storage:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-network:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-compute:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-graph-rbac:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-keyvault:jar:1.22.0:provided
[INFO] | | \- com.microsoft.azure:azure-keyvault:jar:1.0.0:provided
[INFO] | | \- com.microsoft.azure:azure-keyvault-webkey:jar:1.0.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-batch:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-trafficmanager:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-dns:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-redis:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-appservice:jar:1.22.0:provided
[INFO] | | \- com.microsoft.azure:azure-storage:jar:6.1.0:provided
[INFO] | | \- com.microsoft.azure:azure-keyvault-core:jar:0.8.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-locks:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-eventhub:jar:1.22.0:provided
[INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.9.4:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-cdn:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-sql:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-containerinstance:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-containerregistry:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-containerservice:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-cosmosdb:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-search:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-msi:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-monitor:jar:1.22.0:provided
[INFO] | +- com.microsoft.azure:azure-mgmt-servicebus:jar:1.22.0:provided
[INFO] | | \- joda-time:joda-time:jar:2.1:provided
[INFO] | \- com.microsoft.azure:azure-mgmt-batchai:jar:1.22.0:provided
[INFO] +- com.amazonaws:aws-java-sdk-efs:jar:1.11.636:provided
[INFO] | +- com.amazonaws:aws-java-sdk-core:jar:1.11.636:provided
[INFO] | | +- software.amazon.ion:ion-java:jar:1.0.2:provided
[INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.6.7.2:provided
[INFO] | | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.6.0:provided
[INFO] | | \- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.6.7:provided
[INFO] | \- com.amazonaws:jmespath-java:jar:1.11.636:provided
[INFO] +- com.amazonaws:aws-java-sdk-redshift:jar:1.11.636:provided
[INFO] +- com.amazonaws:aws-java-sdk-elasticsearch:jar:1.11.636:provided
[INFO] +- ch.qos.logback:logback-classic:jar:1.2.3:provided
[INFO] +- ch.qos.logback:logback-core:jar:1.2.3:provided
[INFO] \- javax.xml.bind:jaxb-api:jar:2.1:provided
[INFO] +- javax.xml.stream:stax-api:jar:1.0-2:provided
[INFO] \- javax.activation:activation:jar:1.1:provided
Suggested solutions:
Update dependency version
Thank you very much.
Hi, In pacbot/jobs/pacman-qualys-enricher,there is a dependency org.apache.httpcomponents:httpclient:4.5.2 that calls the risk method.
CVE-2020-13956
The scope of this CVE affected version is [,4.5.13)
After further analysis, in this project, the main Api called is <org.apache.http.client.utils.URIUtils: org.apache.http.HttpHost extractHost(java.net.URI)>
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 5
Dependency tree--
Suggested solutions:
Update dependency version
Thank you very much.