Open
Description
Hi, In /smqtt-core,there is a dependency io.netty:netty-common:4.1.66.Final that calls the risk method.
The scope of this CVE affected version is [4.0.0.Final,4.1.77.Final)
After further analysis, in this project, the main Api called is io.netty.util.internal.PlatformDependent: createTempFile(java.lang.String,java.lang.String,java.io.File)Ljava.io.File;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 8
CVE Bug Invocation Path :
io.github.quickmsg.core.ssl.AbstractSslHandler: secure(reactor.netty.tcp.SslProvider$SslContextSpec,io.github.quickmsg.common.config.Configuration)V /download/apache-maven-3.6.3/repository_mount/org/casbin/jdbc-adapter/2.1.3/jdbc-adapter-2.1.3.jar
io.netty.handler.ssl.util.SelfSignedCertificate: init()V /download/apache-maven-3.6.3/repository_mount/org/casbin/jdbc-adapter/2.1.3/jdbc-adapter-2.1.3.jar
io.netty.handler.ssl.util.SelfSignedCertificate: init(java.util.Date,java.util.Date,java.lang.String,int)V /download/apache-maven-3.6.3/repository_mount/org/casbin/jdbc-adapter/2.1.3/jdbc-adapter-2.1.3.jar
io.netty.handler.ssl.util.SelfSignedCertificate: init(java.lang.String,java.util.Date,java.util.Date,java.lang.String,int)V /download/apache-maven-3.6.3/repository_mount/org/casbin/jdbc-adapter/2.1.3/jdbc-adapter-2.1.3.jar
io.netty.handler.ssl.util.SelfSignedCertificate: init(java.lang.String,java.security.SecureRandom,int,java.util.Date,java.util.Date,java.lang.String)V /download/apache-maven-3.6.3/repository_mount/org/casbin/jdbc-adapter/2.1.3/jdbc-adapter-2.1.3.jar
io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator: generate(java.lang.String,java.security.KeyPair,java.security.SecureRandom,java.util.Date,java.util.Date,java.lang.String)[Ljava.lang.String; /download/apache-maven-3.6.3/repository_mount/org/casbin/jdbc-adapter/2.1.3/jdbc-adapter-2.1.3.jar
io.netty.handler.ssl.util.SelfSignedCertificate: newSelfSignedCertificate(java.lang.String,java.security.PrivateKey,java.security.cert.X509Certificate)[Ljava.lang.String; /download/apache-maven-3.6.3/repository_mount/org/casbin/jdbc-adapter/2.1.3/jdbc-adapter-2.1.3.jar
io.netty.util.internal.PlatformDependent: createTempFile(java.lang.String,java.lang.String,java.io.File)Ljava.io.File;
Dependency tree--
[INFO] io.github.quickmsg:smqtt-core:jar:1.1.7
[INFO] +- io.github.quickmsg:smqtt-common:jar:1.1.7:compile
[INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.12.4:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.27:compile
[INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-properties:jar:2.12.4:compile
[INFO] | +- io.projectreactor.netty:reactor-netty:jar:1.0.10:compile
[INFO] | | +- io.projectreactor.netty:reactor-netty-core:jar:1.0.10:compile
[INFO] | | | +- io.netty:netty-handler:jar:4.1.66.Final:compile
[INFO] | | | +- io.netty:netty-handler-proxy:jar:4.1.66.Final:compile
[INFO] | | | | \- io.netty:netty-codec-socks:jar:4.1.66.Final:compile
[INFO] | | | +- io.netty:netty-resolver-dns:jar:4.1.66.Final:compile
[INFO] | | | | \- io.netty:netty-codec-dns:jar:4.1.66.Final:compile
[INFO] | | | +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.66.Final:compile
[INFO] | | | | \- io.netty:netty-transport-native-unix-common:jar:4.1.66.Final:compile
[INFO] | | | +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.66.Final:compile
[INFO] | | | \- io.projectreactor:reactor-core:jar:3.4.9:compile
[INFO] | | | \- org.reactivestreams:reactive-streams:jar:1.0.3:compile
[INFO] | | +- io.projectreactor.netty:reactor-netty-http:jar:1.0.10:compile
[INFO] | | | +- io.netty:netty-codec-http:jar:4.1.66.Final:compile
[INFO] | | | \- io.netty:netty-codec-http2:jar:4.1.66.Final:compile
[INFO] | | \- io.projectreactor.netty:reactor-netty-http-brave:jar:1.0.10:runtime
[INFO] | | \- io.zipkin.brave:brave-instrumentation-http:jar:5.13.3:runtime
[INFO] | | \- io.zipkin.brave:brave:jar:5.13.3:runtime
[INFO] | | \- io.zipkin.reporter2:zipkin-reporter-brave:jar:2.16.3:runtime
[INFO] | | \- io.zipkin.reporter2:zipkin-reporter:jar:2.16.3:runtime
[INFO] | | \- io.zipkin.zipkin2:zipkin:jar:2.23.2:runtime
[INFO] | +- io.netty:netty-codec-mqtt:jar:4.1.66.Final:compile
[INFO] | | +- io.netty:netty-common:jar:4.1.66.Final:compile
[INFO] | | +- io.netty:netty-buffer:jar:4.1.66.Final:compile
[INFO] | | +- io.netty:netty-transport:jar:4.1.66.Final:compile
[INFO] | | | \- io.netty:netty-resolver:jar:4.1.66.Final:compile
[INFO] | | \- io.netty:netty-codec:jar:4.1.66.Final:compile
[INFO] | +- org.projectlombok:lombok:jar:1.18.20:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] | +- ch.qos.logback:logback-core:jar:1.1.11:compile
[INFO] | +- ch.qos.logback:logback-classic:jar:1.1.11:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.12.4:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.0:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.11.0:compile
[INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.11.0:compile
[INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.11.0:compile
[INFO] | +- io.micrometer:micrometer-core:jar:1.8.0:compile
[INFO] | | +- org.hdrhistogram:HdrHistogram:jar:2.1.12:compile
[INFO] | | \- org.latencyutils:LatencyUtils:jar:2.0.3:runtime
[INFO] | +- com.github.oshi:oshi-core:jar:5.3.6:compile
[INFO] | | +- net.java.dev.jna:jna:jar:5.6.0:compile
[INFO] | | \- net.java.dev.jna:jna-platform:jar:5.6.0:compile
[INFO] | +- io.micrometer:micrometer-registry-prometheus:jar:1.8.0:compile
[INFO] | | \- io.prometheus:simpleclient_common:jar:0.12.0:compile
[INFO] | | \- io.prometheus:simpleclient:jar:0.12.0:compile
[INFO] | | +- io.prometheus:simpleclient_tracer_otel:jar:0.12.0:compile
[INFO] | | | \- io.prometheus:simpleclient_tracer_common:jar:0.12.0:compile
[INFO] | | \- io.prometheus:simpleclient_tracer_otel_agent:jar:0.12.0:compile
[INFO] | +- io.micrometer:micrometer-registry-influx:jar:1.8.0:compile
[INFO] | +- org.casbin:jcasbin:jar:1.22.1:compile
[INFO] | | +- com.googlecode.aviator:aviator:jar:5.3.0-beta2:compile
[INFO] | | +- com.github.seancfoley:ipaddress:jar:4.2.0:compile
[INFO] | | +- commons-io:commons-io:jar:2.7:compile
[INFO] | | +- org.apache.commons:commons-csv:jar:1.8:compile
[INFO] | | \- com.google.code.gson:gson:jar:2.8.9:compile
[INFO] | \- org.casbin:jdbc-adapter:jar:2.1.3:compile
[INFO] | +- com.oracle.database.jdbc:ojdbc6:jar:11.2.0.4:compile
[INFO] | | +- com.oracle.database.jdbc:ucp:jar:11.2.0.4:compile
[INFO] | | +- com.oracle.database.security:oraclepki:jar:11.2.0.4:compile
[INFO] | | +- com.oracle.database.security:osdt_cert:jar:11.2.0.4:compile
[INFO] | | +- com.oracle.database.security:osdt_core:jar:11.2.0.4:compile
[INFO] | | +- com.oracle.database.ha:simplefan:jar:11.2.0.4:compile
[INFO] | | \- com.oracle.database.ha:ons:jar:11.2.0.4:compile
[INFO] | +- org.postgresql:postgresql:jar:42.2.12:compile
[INFO] | +- com.microsoft.sqlserver:mssql-jdbc:jar:8.2.2.jre8:compile
[INFO] | \- dev.failsafe:failsafe:jar:3.0.0:compile
[INFO] +- io.github.quickmsg:smqtt-rule-dsl:jar:1.1.7:compile
[INFO] | \- io.github.quickmsg:smqtt-rule-engine:jar:1.1.7:compile
[INFO] | +- io.github.quickmsg:smqtt-rule-source-kafka:jar:1.1.7:compile
[INFO] | | \- org.apache.kafka:kafka-clients:jar:2.8.0:compile
[INFO] | | +- com.github.luben:zstd-jni:jar:1.4.9-1:compile
[INFO] | | +- org.lz4:lz4-java:jar:1.7.1:compile
[INFO] | | \- org.xerial.snappy:snappy-java:jar:1.1.8.1:compile
[INFO] | +- io.github.quickmsg:smqtt-rule-source-http:jar:1.1.7:compile
[INFO] | +- io.github.quickmsg:smqtt-rule-source-rocketmq:jar:1.1.7:compile
[INFO] | | \- org.apache.rocketmq:rocketmq-client:jar:4.9.1:compile
[INFO] | | +- org.apache.rocketmq:rocketmq-common:jar:4.9.1:compile
[INFO] | | | +- org.apache.rocketmq:rocketmq-remoting:jar:4.9.1:compile
[INFO] | | | | +- com.alibaba:fastjson:jar:1.2.76:compile
[INFO] | | | | \- org.apache.rocketmq:rocketmq-logging:jar:4.9.1:compile
[INFO] | | | \- commons-validator:commons-validator:jar:1.7:compile
[INFO] | | | +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | | | +- commons-digester:commons-digester:jar:2.1:compile
[INFO] | | | \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | | +- org.apache.commons:commons-lang3:jar:3.4:compile
[INFO] | | \- commons-codec:commons-codec:jar:1.9:compile
[INFO] | +- io.github.quickmsg:smqtt-rule-source-rabbitmq:jar:1.1.7:compile
[INFO] | | \- com.rabbitmq:amqp-client:jar:3.6.5:compile
[INFO] | +- io.github.quickmsg:smqtt-rule-source-db:jar:1.1.7:compile
[INFO] | | +- org.jooq:jooq:jar:3.14.11:compile
[INFO] | | | \- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] | | | \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] | | +- org.jooq:jooq-meta:jar:3.14.11:compile
[INFO] | | +- org.jooq:jooq-codegen:jar:3.14.11:compile
[INFO] | | +- com.zaxxer:HikariCP:jar:4.0.3:compile
[INFO] | | \- mysql:mysql-connector-java:jar:5.1.35:compile
[INFO] | +- io.github.quickmsg:smqtt-rule-source-mqtt:jar:1.1.7:compile
[INFO] | | \- com.hivemq:hivemq-mqtt-client:jar:1.2.2:compile
[INFO] | | +- io.reactivex.rxjava2:rxjava:jar:2.2.19:compile
[INFO] | | +- org.jctools:jctools-core:jar:2.1.2:runtime
[INFO] | | +- org.jetbrains:annotations:jar:16.0.3:runtime
[INFO] | | \- com.google.dagger:dagger:jar:2.27:runtime
[INFO] | | \- javax.inject:javax.inject:jar:1:runtime
[INFO] | \- org.apache.commons:commons-jexl3:jar:3.2.1:compile
[INFO] | \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- io.github.quickmsg:smqtt-metric-influxdb:jar:1.1.7:compile
[INFO] \- io.github.quickmsg:smqtt-metric-prometheus:jar:1.1.7:compile
Suggested solutions:
Update dependency version
Thank you very much.
Metadata
Metadata
Assignees
Labels
No labels