seed icon indicating copy to clipboard operation
seed copied to clipboard
verified publisher icon jadyer

Dependency com.alibaba:fastjson, leading to CVE problem

Open CVEDetect opened this issue 3 years ago • 0 comments

Hi, In /seed-comm,there is a dependency com.alibaba:fastjson:1.2.74 that calls the risk method.

CVE-2022-25845

The scope of this CVE affected version is [,1.2.83)

After further analysis, in this project, the main Api called is com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 8

com.jadyer.seed.comm.util.PageUtil: copy(org.springframework.data.domain.Page,java.lang.Class)Lcom.jadyer.seed.comm.jpa.Pager; /download/apache-maven-3.6.3/repository_mount/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar
com.alibaba.fastjson.JSON: parseObject(java.lang.String,java.lang.Class)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar
com.alibaba.fastjson.JSON: parseObject(java.lang.String,java.lang.Class,com.alibaba.fastjson.parser.Feature[])Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar
com.alibaba.fastjson.JSON: parseObject(java.lang.String,java.lang.reflect.Type,com.alibaba.fastjson.parser.ParserConfig,com.alibaba.fastjson.parser.deserializer.ParseProcess,int,com.alibaba.fastjson.parser.Feature[])Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar
com.alibaba.fastjson.parser.DefaultJSONParser: parseObject(java.lang.reflect.Type,java.lang.Object)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar
com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer: deserialze(com.alibaba.fastjson.parser.DefaultJSONParser,java.lang.reflect.Type,java.lang.Object,int)Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar
com.alibaba.fastjson.parser.deserializer.JavaBeanDeserializer: deserialze(com.alibaba.fastjson.parser.DefaultJSONParser,java.lang.reflect.Type,java.lang.Object,java.lang.Object,int,int[])Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar
com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;

Dependency tree--

[INFO] com.jadyer.seed:seed-comm:jar:2.1
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.1.6.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.11.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile
[INFO] |  |  \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.1.6.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.1.6.RELEASE:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  \- net.minidev:json-smart:jar:2.3:test
[INFO] |  |     \- net.minidev:accessors-smart:jar:1.2:test
[INFO] |  |        \- org.ow2.asm:asm:jar:5.0.4:test
[INFO] |  +- junit:junit:jar:4.12:test
[INFO] |  +- org.assertj:assertj-core:jar:3.11.1:test
[INFO] |  +- org.mockito:mockito-core:jar:2.23.4:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.9.13:test
[INFO] |  |  \- org.objenesis:objenesis:jar:2.6:test
[INFO] |  +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] |  +- org.hamcrest:hamcrest-library:jar:1.3:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-core:jar:5.1.8.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.1.8.RELEASE:compile
[INFO] |  +- org.springframework:spring-test:jar:5.1.8.RELEASE:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.6.2:test
[INFO] +- org.springframework.boot:spring-boot-starter-aop:jar:2.1.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.1.8.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.1.8.RELEASE:compile
[INFO] |  \- org.aspectj:aspectjweaver:jar:1.9.4:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.1.6.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.9:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.9:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.9:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.21:compile
[INFO] |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.21:compile
[INFO] |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.21:compile
[INFO] |  +- org.hibernate.validator:hibernate-validator:jar:6.0.17.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] |  |  \- com.fasterxml:classmate:jar:1.4.0:compile
[INFO] |  +- org.springframework:spring-web:jar:5.1.8.RELEASE:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.1.8.RELEASE:compile
[INFO] |     +- org.springframework:spring-context:jar:5.1.8.RELEASE:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.1.8.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-websocket:jar:2.1.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-messaging:jar:5.1.8.RELEASE:compile
[INFO] |  \- org.springframework:spring-websocket:jar:5.1.8.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-amqp:jar:2.1.6.RELEASE:compile
[INFO] |  \- org.springframework.amqp:spring-rabbit:jar:2.1.7.RELEASE:compile
[INFO] |     +- org.springframework.amqp:spring-amqp:jar:2.1.7.RELEASE:compile
[INFO] |     |  \- org.springframework.retry:spring-retry:jar:1.2.4.RELEASE:compile
[INFO] |     \- com.rabbitmq:amqp-client:jar:5.4.3:compile
[INFO] +- org.springframework.boot:spring-boot-starter-mail:jar:2.1.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-context-support:jar:5.1.8.RELEASE:compile
[INFO] |  \- com.sun.mail:javax.mail:jar:1.6.2:compile
[INFO] |     \- javax.activation:activation:jar:1.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-batch:jar:2.1.6.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- com.zaxxer:HikariCP:jar:3.2.0:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:5.1.8.RELEASE:compile
[INFO] |  \- org.springframework.batch:spring-batch-core:jar:4.1.2.RELEASE:compile
[INFO] |     +- javax.batch:javax.batch-api:jar:1.0:compile
[INFO] |     \- org.springframework.batch:spring-batch-infrastructure:jar:4.1.2.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-quartz:jar:2.1.6.RELEASE:compile
[INFO] |  +- org.springframework:spring-tx:jar:5.1.8.RELEASE:compile
[INFO] |  \- org.quartz-scheduler:quartz:jar:2.3.1:compile
[INFO] |     \- com.mchange:mchange-commons-java:jar:0.2.15:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.1.6.RELEASE:compile
[INFO] |  +- javax.transaction:javax.transaction-api:jar:1.3:compile
[INFO] |  +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |  |  \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] |  +- org.hibernate:hibernate-core:jar:5.3.10.Final:compile
[INFO] |  |  +- javax.persistence:javax.persistence-api:jar:2.2:compile
[INFO] |  |  +- org.javassist:javassist:jar:3.23.2-GA:compile
[INFO] |  |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  |  +- org.jboss:jandex:jar:2.0.5.Final:compile
[INFO] |  |  +- org.dom4j:dom4j:jar:2.1.1:compile
[INFO] |  |  \- org.hibernate.common:hibernate-commons-annotations:jar:5.0.4.Final:compile
[INFO] |  +- org.springframework.data:spring-data-jpa:jar:2.1.9.RELEASE:compile
[INFO] |  |  +- org.springframework.data:spring-data-commons:jar:2.1.9.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-orm:jar:5.1.8.RELEASE:compile
[INFO] |  \- org.springframework:spring-aspects:jar:5.1.8.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:2.1.6.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.1.6.RELEASE:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-actuator:jar:2.1.6.RELEASE:compile
[INFO] |  \- io.micrometer:micrometer-core:jar:1.1.5:compile
[INFO] |     +- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
[INFO] |     \- org.latencyutils:LatencyUtils:jar:2.0.3:compile
[INFO] +- mysql:mysql-connector-java:jar:8.0.16:compile
[INFO] +- commons-io:commons-io:jar:2.8.0:compile
[INFO] +- commons-net:commons-net:jar:3.7.1:compile
[INFO] +- org.apache.commons:commons-text:jar:1.9:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.11:compile
[INFO] +- commons-codec:commons-codec:jar:1.15:compile
[INFO] +- commons-fileupload:commons-fileupload:jar:1.4:compile
[INFO] +- org.apache.mina:mina-core:jar:2.0.21:compile
[INFO] |  \- org.slf4j:slf4j-api:jar:1.7.26:compile
[INFO] +- org.apache.rocketmq:rocketmq-spring-boot-starter:jar:2.2.1:compile
[INFO] |  +- org.apache.rocketmq:rocketmq-spring-boot:jar:2.2.1:compile
[INFO] |  |  +- org.apache.rocketmq:rocketmq-client:jar:4.9.1:compile
[INFO] |  |  |  \- org.apache.rocketmq:rocketmq-common:jar:4.9.1:compile
[INFO] |  |  \- org.apache.rocketmq:rocketmq-acl:jar:4.9.1:compile
[INFO] |  |     +- org.apache.rocketmq:rocketmq-remoting:jar:4.9.1:compile
[INFO] |  |     |  \- io.netty:netty-all:jar:4.1.36.Final:compile
[INFO] |  |     +- org.apache.rocketmq:rocketmq-logging:jar:4.9.1:compile
[INFO] |  |     +- org.apache.rocketmq:rocketmq-srvutil:jar:4.9.1:compile
[INFO] |  |     |  \- commons-cli:commons-cli:jar:1.2:compile
[INFO] |  |     \- commons-validator:commons-validator:jar:1.7:compile
[INFO] |  |        +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] |  |        +- commons-digester:commons-digester:jar:2.1:compile
[INFO] |  |        \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  \- org.springframework.boot:spring-boot-starter-validation:jar:2.1.6.RELEASE:compile
[INFO] +- org.apache.httpcomponents:httpclient:jar:4.5.3:compile
[INFO] |  \- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] +- org.apache.httpcomponents:httpclient-cache:jar:4.5.3:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- org.apache.httpcomponents:httpmime:jar:4.5.3:compile
[INFO] +- org.apache.httpcomponents:fluent-hc:jar:4.5.3:compile
[INFO] +- com.google.zxing:core:jar:2.2:compile
[INFO] +- com.google.zxing:javase:jar:2.2:compile
[INFO] +- com.aliyun.oss:aliyun-sdk-oss:jar:3.11.1:compile
[INFO] |  +- org.jdom:jdom2:jar:2.0.6:compile
[INFO] |  +- org.codehaus.jettison:jettison:jar:1.1:compile
[INFO] |  |  \- stax:stax-api:jar:1.0.1:compile
[INFO] |  +- com.aliyun:aliyun-java-sdk-core:jar:4.5.10:compile
[INFO] |  |  +- com.google.code.gson:gson:jar:2.8.5:compile
[INFO] |  |  +- org.jacoco:org.jacoco.agent:jar:runtime:0.8.5:compile
[INFO] |  |  +- org.ini4j:ini4j:jar:0.5.4:compile
[INFO] |  |  +- io.opentracing:opentracing-api:jar:0.33.0:compile
[INFO] |  |  \- io.opentracing:opentracing-util:jar:0.33.0:compile
[INFO] |  |     \- io.opentracing:opentracing-noop:jar:0.33.0:compile
[INFO] |  +- com.aliyun:aliyun-java-sdk-ram:jar:3.1.0:compile
[INFO] |  \- com.aliyun:aliyun-java-sdk-kms:jar:2.11.0:compile
[INFO] +- com.alibaba:druid-spring-boot-starter:jar:1.1.18:compile
[INFO] |  +- com.alibaba:druid:jar:1.1.18:compile
[INFO] |  \- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.6.RELEASE:compile
[INFO] +- com.alibaba:fastjson:jar:1.2.74:compile
[INFO] +- com.ibeetl:beetl:jar:2.9.10:compile
[INFO] |  \- org.antlr:antlr4-runtime:jar:4.2:compile
[INFO] |     +- org.abego.treelayout:org.abego.treelayout.core:jar:1.0.1:compile
[INFO] |     \- org.antlr:antlr4-annotations:jar:4.2:compile
[INFO] +- com.jcraft:jsch:jar:0.1.55:compile
[INFO] +- cn.hutool:hutool-core:jar:4.6.1:compile
[INFO] +- com.github.liaochong:myexcel:jar:3.9.5:compile
[INFO] |  +- org.apache.poi:poi-ooxml:jar:4.1.1:compile
[INFO] |  |  +- org.apache.poi:poi:jar:4.1.1:compile
[INFO] |  |  |  +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] |  |  |  \- org.apache.commons:commons-math3:jar:3.6.1:compile
[INFO] |  |  +- org.apache.poi:poi-ooxml-schemas:jar:4.1.1:compile
[INFO] |  |  |  \- org.apache.xmlbeans:xmlbeans:jar:3.1.0:compile
[INFO] |  |  +- org.apache.commons:commons-compress:jar:1.19:compile
[INFO] |  |  \- com.github.virtuald:curvesapi:jar:1.06:compile
[INFO] |  \- com.twelvemonkeys.imageio:imageio-jpeg:jar:3.5:compile
[INFO] |     +- com.twelvemonkeys.imageio:imageio-core:jar:3.5:compile
[INFO] |     +- com.twelvemonkeys.imageio:imageio-metadata:jar:3.5:compile
[INFO] |     +- com.twelvemonkeys.common:common-lang:jar:3.5:compile
[INFO] |     +- com.twelvemonkeys.common:common-io:jar:3.5:compile
[INFO] |     \- com.twelvemonkeys.common:common-image:jar:3.5:compile
[INFO] +- redis.clients:jedis:jar:2.9.0:compile
[INFO] |  \- org.apache.commons:commons-pool2:jar:2.6.2:compile
[INFO] +- org.redisson:redisson:jar:3.13.5:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.36.Final:compile
[INFO] |  +- io.netty:netty-codec:jar:4.1.36.Final:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.36.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.36.Final:compile
[INFO] |  |  \- io.netty:netty-resolver:jar:4.1.36.Final:compile
[INFO] |  +- io.netty:netty-resolver-dns:jar:4.1.36.Final:compile
[INFO] |  |  \- io.netty:netty-codec-dns:jar:4.1.36.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.36.Final:compile
[INFO] |  +- javax.cache:cache-api:jar:1.1.1:compile
[INFO] |  +- io.projectreactor:reactor-core:jar:3.2.10.RELEASE:compile
[INFO] |  |  \- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] |  +- io.reactivex.rxjava2:rxjava:jar:2.2.9:compile
[INFO] |  +- org.jboss.marshalling:jboss-marshalling-river:jar:2.0.9.Final:compile
[INFO] |  |  \- org.jboss.marshalling:jboss-marshalling:jar:2.0.9.Final:compile
[INFO] |  +- org.yaml:snakeyaml:jar:1.23:compile
[INFO] |  +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.9.9:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] |  +- net.bytebuddy:byte-buddy:jar:1.9.13:compile
[INFO] |  \- org.jodd:jodd-bean:jar:5.1.6:compile
[INFO] |     \- org.jodd:jodd-core:jar:5.1.6:compile
[INFO] +- org.samba.jcifs:jcifs:jar:1.3.3:compile
[INFO] +- org.jsoup:jsoup:jar:1.13.1:compile
[INFO] +- org.jasypt:jasypt:jar:1.9.3:compile
[INFO] +- org.codehaus.janino:janino:jar:3.1.2:compile
[INFO] |  \- org.codehaus.janino:commons-compiler:jar:3.1.2:compile
[INFO] \- org.bouncycastle:bcprov-jdk15on:jar:1.62:compile

Suggested solutions:

Update dependency version

Thank you very much.

CVEDetect avatar Apr 14 '23 11:04 CVEDetect