Dependency com.alibaba:fastjson, leading to CVE problem #15
Description
Hi, In /snowjena-ticket-server,there is a dependency com.alibaba:fastjson:1.2.73 that calls the risk method.
The scope of this CVE affected version is ** [,1.2.83)**
After further analysis, in this project, the main Api called is com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;
Risk method repair link : GitHub
CVE Bug Invocation Path--
Path Length : 10
CVE Bug Invocation Path :
com.github.onblog.snowjenaticketserver.monitor.MonitorController: monitor(java.lang.String)Lcom.github.onblog.snowjenaticketserver.exception.ResultEnum; .m2/repository/org/springframework/data/spring-data-redis/2.1.9.RELEASE/spring-data-redis-2.1.9.RELEASE.jar
com.alibaba.fastjson.JSON: parseArray(java.lang.String,java.lang.Class)Ljava.util.List; .m2/repository/org/springframework/data/spring-data-redis/2.1.9.RELEASE/spring-data-redis-2.1.9.RELEASE.jar
com.alibaba.fastjson.JSON: parseArray(java.lang.String,java.lang.Class,com.alibaba.fastjson.parser.ParserConfig)Ljava.util.List; .m2/repository/org/springframework/data/spring-data-redis/2.1.9.RELEASE/spring-data-redis-2.1.9.RELEASE.jar
com.alibaba.fastjson.parser.DefaultJSONParser: handleResovleTask(java.lang.Object)V .m2/repository/org/springframework/data/spring-data-redis/2.1.9.RELEASE/spring-data-redis-2.1.9.RELEASE.jar
com.alibaba.fastjson.parser.deserializer.ResolveFieldDeserializer: setValue(java.lang.Object,java.lang.Object)V .m2/repository/org/springframework/data/spring-data-redis/2.1.9.RELEASE/spring-data-redis-2.1.9.RELEASE.jar
com.alibaba.fastjson.util.TypeUtils: cast(java.lang.Object,java.lang.reflect.Type,com.alibaba.fastjson.parser.ParserConfig)Ljava.lang.Object; .m2/repository/org/springframework/data/spring-data-redis/2.1.9.RELEASE/spring-data-redis-2.1.9.RELEASE.jar
com.alibaba.fastjson.util.TypeUtils: cast(java.lang.Object,java.lang.Class,com.alibaba.fastjson.parser.ParserConfig)Ljava.lang.Object; .m2/repository/org/springframework/data/spring-data-redis/2.1.9.RELEASE/spring-data-redis-2.1.9.RELEASE.jar
com.alibaba.fastjson.util.TypeUtils: castToJavaBean(java.util.Map,java.lang.Class,com.alibaba.fastjson.parser.ParserConfig)Ljava.lang.Object; .m2/repository/org/springframework/data/spring-data-redis/2.1.9.RELEASE/spring-data-redis-2.1.9.RELEASE.jar
com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class)Ljava.lang.Class; .m2/repository/org/springframework/data/spring-data-redis/2.1.9.RELEASE/spring-data-redis-2.1.9.RELEASE.jar
com.alibaba.fastjson.parser.ParserConfig: checkAutoType(java.lang.String,java.lang.Class,int)Ljava.lang.Class;
Dependency tree--
[INFO] com.github.onblog:snowjena-ticket-server:jar:4.0.0.RELEASE
[INFO] +- com.github.onblog:snowjena-common:jar:4.0.0.RELEASE:compile
[INFO] | +- com.alibaba:fastjson:jar:1.2.73:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.26:compile
[INFO] | \- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] | \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] +- com.github.onblog:snowjena-monitor:jar:4.0.0.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-redis:jar:2.1.6.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.1.6.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:2.1.6.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.6.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.6.RELEASE:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.2:compile
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.11.2:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile
[INFO] | | +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.23:compile
[INFO] | +- org.springframework.data:spring-data-redis:jar:2.1.9.RELEASE:compile
[INFO] | | +- org.springframework.data:spring-data-keyvalue:jar:2.1.9.RELEASE:compile
[INFO] | | | \- org.springframework.data:spring-data-commons:jar:2.1.9.RELEASE:compile
[INFO] | | +- org.springframework:spring-tx:jar:5.1.8.RELEASE:compile
[INFO] | | +- org.springframework:spring-oxm:jar:5.1.8.RELEASE:compile
[INFO] | | \- org.springframework:spring-context-support:jar:5.1.8.RELEASE:compile
[INFO] | \- io.lettuce:lettuce-core:jar:5.1.7.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.1.6.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.1.6.RELEASE:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.9:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.9:compile
[INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.9:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.1.6.RELEASE:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.21:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.21:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.21:compile
[INFO] | +- org.hibernate.validator:hibernate-validator:jar:6.0.17.Final:compile
[INFO] | | +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] | | +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] | | \- com.fasterxml:classmate:jar:1.4.0:compile
[INFO] | +- org.springframework:spring-web:jar:5.1.8.RELEASE:compile
[INFO] | | \- org.springframework:spring-beans:jar:5.1.8.RELEASE:compile
[INFO] | \- org.springframework:spring-webmvc:jar:5.1.8.RELEASE:compile
[INFO] | +- org.springframework:spring-context:jar:5.1.8.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:5.1.8.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:2.1.6.RELEASE:compile
[INFO] | +- org.springframework:spring-aop:jar:5.1.8.RELEASE:compile
[INFO] | +- org.springframework.security:spring-security-config:jar:5.1.5.RELEASE:compile
[INFO] | | \- org.springframework.security:spring-security-core:jar:5.1.5.RELEASE:compile
[INFO] | \- org.springframework.security:spring-security-web:jar:5.1.5.RELEASE:compile
[INFO] +- redis.clients:jedis:jar:2.9.0:compile
[INFO] | \- org.apache.commons:commons-pool2:jar:2.6.2:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.6:compile
[INFO] +- org.redisson:redisson:jar:3.11.0:compile
[INFO] | +- io.netty:netty-common:jar:4.1.36.Final:compile
[INFO] | +- io.netty:netty-codec:jar:4.1.36.Final:compile
[INFO] | +- io.netty:netty-buffer:jar:4.1.36.Final:compile
[INFO] | +- io.netty:netty-transport:jar:4.1.36.Final:compile
[INFO] | | \- io.netty:netty-resolver:jar:4.1.36.Final:compile
[INFO] | +- io.netty:netty-resolver-dns:jar:4.1.36.Final:compile
[INFO] | | \- io.netty:netty-codec-dns:jar:4.1.36.Final:compile
[INFO] | +- io.netty:netty-handler:jar:4.1.36.Final:compile
[INFO] | +- javax.cache:cache-api:jar:1.1.1:compile
[INFO] | +- io.projectreactor:reactor-core:jar:3.2.10.RELEASE:compile
[INFO] | | \- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] | +- io.reactivex.rxjava2:rxjava:jar:2.2.9:compile
[INFO] | +- de.ruedigermoeller:fst:jar:2.57:compile
[INFO] | | +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] | | \- org.objenesis:objenesis:jar:2.5.1:compile
[INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.9.9:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9:compile
[INFO] | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] | +- net.bytebuddy:byte-buddy:jar:1.9.13:compile
[INFO] | \- org.jodd:jodd-bean:jar:5.0.10:compile
[INFO] | \- org.jodd:jodd-core:jar:5.0.10:compile
[INFO] +- org.springframework.boot:spring-boot-configuration-processor:jar:2.1.6.RELEASE:compile (optional)
[INFO] \- org.springframework.boot:spring-boot-starter-test:jar:2.1.6.RELEASE:test
[INFO] +- org.springframework.boot:spring-boot-test:jar:2.1.6.RELEASE:test
[INFO] +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.1.6.RELEASE:test
[INFO] +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] | \- net.minidev:json-smart:jar:2.3:test
[INFO] | \- net.minidev:accessors-smart:jar:1.2:test
[INFO] | \- org.ow2.asm:asm:jar:5.0.4:test
[INFO] +- junit:junit:jar:4.12:test
[INFO] +- org.assertj:assertj-core:jar:3.11.1:test
[INFO] +- org.mockito:mockito-core:jar:2.23.4:test
[INFO] | \- net.bytebuddy:byte-buddy-agent:jar:1.9.13:test
[INFO] +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] +- org.hamcrest:hamcrest-library:jar:1.3:test
[INFO] +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] | \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] +- org.springframework:spring-core:jar:5.1.8.RELEASE:compile
[INFO] | \- org.springframework:spring-jcl:jar:5.1.8.RELEASE:compile
[INFO] +- org.springframework:spring-test:jar:5.1.8.RELEASE:test
[INFO] \- org.xmlunit:xmlunit-core:jar:2.6.2:test
[INFO] \- javax.xml.bind:jaxb-api:jar:2.3.1:test
[INFO] \- javax.activation:javax.activation-api:jar:1.2.0:test
Suggested solutions:
Update dependency version
Thank you very much.