WS-2017-3734 (Medium) detected in multiple libraries - autoclosed

[mend-for-github.lhy31512.workers.dev]

WS-2017-3734 - Medium Severity Vulnerability

Vulnerable Libraries - httpclient-4.5.2.jar, httpclient-4.4.1.jar, httpclient-4.2.5.jar, httpclient-4.3.1.jar, httpclient-4.2.1.jar, httpclient-4.3.6.jar

httpclient-4.5.2.jar

Apache HttpComponents Client

Path to dependency file: /dd-java-agent/instrumentation/elasticsearch/rest-6.4/rest-6.4.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.2/733db77aa8d9b2d68015189df76ab06304406e50/httpclient-4.5.2.jar

Dependency Hierarchy:

• aws-java-sdk-sqs-1.11.0.jar (Root Library)
  • aws-java-sdk-core-1.11.0.jar
    • ❌ httpclient-4.5.2.jar (Vulnerable Library)

httpclient-4.4.1.jar

Apache HttpComponents Client

Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.4.1/16d0bc512222f1253ee6b64d389c84e22f697f0/httpclient-4.4.1.jar

Dependency Hierarchy:

• finatra-http_2.11-21.2.0.jar (Root Library)
  • libthrift-0.10.0.jar
    • ❌ httpclient-4.4.1.jar (Vulnerable Library)

httpclient-4.2.5.jar

HttpComponents Client (base module)

Path to dependency file: /dd-java-agent/instrumentation/synapse-3/synapse-3.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.2.5/666e26e76f2e87d84e4f16acb546481ae1b8e9a6/httpclient-4.2.5.jar

Dependency Hierarchy:

• synapse-nhttp-transport-3.0.0.jar (Root Library)
  • axis2-transport-http-1.7.3.jar
    • ❌ httpclient-4.2.5.jar (Vulnerable Library)

httpclient-4.3.1.jar

HttpComponents Client

Path to dependency file: /dd-java-agent/instrumentation/play-2.3/play-2.3.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.3.1/ec13f6423eb6d5858e229939a2bc118473ef94c/httpclient-4.3.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.3.1/ec13f6423eb6d5858e229939a2bc118473ef94c/httpclient-4.3.1.jar

Dependency Hierarchy:

• play-java-ws_2.11-2.3.10.jar (Root Library)
  • signpost-commonshttp4-1.2.1.2.jar
    • ❌ httpclient-4.3.1.jar (Vulnerable Library)

httpclient-4.2.1.jar

HttpComponents Client (base module)

Path to dependency file: /dd-java-agent/instrumentation/jax-rs-client-2.0/jax-rs-client-2.0.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.2.1/b69bd03af60bf487b3ae1209a644ecac587bf6fc/httpclient-4.2.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.2.1/b69bd03af60bf487b3ae1209a644ecac587bf6fc/httpclient-4.2.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.2.1/b69bd03af60bf487b3ae1209a644ecac587bf6fc/httpclient-4.2.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.2.1/b69bd03af60bf487b3ae1209a644ecac587bf6fc/httpclient-4.2.1.jar

Dependency Hierarchy:

• resteasy-jaxrs-3.0.0.Final.jar (Root Library)
  • ❌ httpclient-4.2.1.jar (Vulnerable Library)

httpclient-4.3.6.jar

HttpComponents Client

Path to dependency file: /dd-java-agent/instrumentation/spring-rabbit/spring-rabbit.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.3.6/4c47155e3e6c9a41a28db36680b828ced53b8af4/httpclient-4.3.6.jar

Dependency Hierarchy:

• spring-rabbit-2.0.0.RELEASE.jar (Root Library)
  • http-client-1.3.0.RELEASE.jar
    • ❌ httpclient-4.3.6.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.

Publish Date: 2017-01-21

URL: WS-2017-3734

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803

Release Date: 2017-01-21

Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.3

Direct dependency fix Resolution (com.amazonaws:aws-java-sdk-sqs): 1.11.293

Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.3

Direct dependency fix Resolution (com.typesafe.play:play-java-ws_2.11): 2.4.0

Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.3

Direct dependency fix Resolution (org.jboss.resteasy:resteasy-jaxrs): 3.0.14.Final

Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.3

Direct dependency fix Resolution (org.springframework.amqp:spring-rabbit): 2.0.2.RELEASE

---

⛑️ Automatic Remediation is available for this issue