Dependencies causes CVEs in your execution path #928
Description
I found your project uses some dependencies with CVEs and the buggy methods of the CVEs are in the program execution path of your project. To prevent potential risk it may cause, I have suggested some version updates. The following is a detailed content.
-
Vulnerable Dependency: io.netty : netty : 3.3.1.Final
-
Call Chain to Buggy Methods:
-
Some files in your project call the library method org.jboss.netty.handler.codec.http.CookieDecoder.decode(java.lang.String), which can reach the buggy method of CVE-2015-2156.
- Files in your project:
Frameworks/WOAdaptors/ERWOAdaptor/Sources/er/woadaptor/ERWOAdaptorUtilities.java - One of the possible call chain:
org.jboss.netty.handler.codec.http.CookieDecoder.decode(java.lang.String) org.jboss.netty.handler.codec.http.Cookie.setMaxAge(int) [buggy method] - Files in your project:
-
Some files in your project call the library method org.jboss.netty.handler.codec.http.CookieEncoder.encode(), which can reach the buggy method of CVE-2015-2156.
- Files in your project:
Frameworks/WOAdaptors/ERWOAdaptor/Sources/com/webobjects/appserver/WOResponseWrapper.java - One of the possible call chain:
org.jboss.netty.handler.codec.http.CookieEncoder.encode() org.jboss.netty.handler.codec.http.CookieEncoder.encodeServerSide() org.jboss.netty.handler.codec.http.Cookie.getMaxAge() [buggy method] - Files in your project:
-
-
Update suggestion: version 3.9.9.Final
3.9.9.Final is a safe version without CVEs. From 3.3.1.Final to 3.9.9.Final, 6 of the APIs (called by 7 times in your project) were modified.