-
Title
Bugs Could Occur When Importing Jar undertow-servlet-2.0.15.Final.jar in This Project -
Content
Hi Developer, I found that your project uses a vulnerable jar which is undertow-servlet-2.0.15.Final.jar and calls the vulnerable function handleRequest in file ServletInitialHandler.java (See details in Repository undertow-io/undertow, commitid: d2715e3afa13f50deaa19643676816ce391551e9).
The CVE number of this vulnerability is CVE-2019-10184 If this project is still in use, please check it and fix this bug as soon as possible. You can update the imported jar undertow-servlet-2.0.15.Final.jar to version over 2.0.23.Final to avoid this bug, thx. -
Compare the version ID manually(e.g. The vulnerable project is jooby-1.6.7-SNAPSHOT and a target jar is jooby-1.5.1.jar, then consider it as a vulnerable jar)
-
Expand target projects
-
Child module problem
-
Bug Report Revision
-
Another little problem
- Using MD5 as a condition to match target method could still have some problems:
- For example,there's a target file in undertow-servlet-2.0.21.Final with two following parts:
Two pictures have the same content in line 80 and 126, so they have the same MD5 value. This could affect the accuracy of method positioning.
{"jar": "jooby-1.5.1.jar", "vul_project": "zilvis97/your-bank-starter", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "jooby-1.6.4.jar", "vul_project": "lgu-lab/microservices-jooby-demo1", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "jooby-1.2.3.jar", "vul_project": "paul-hammant/JoobyAndSitemeshDemo", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "jooby-1.5.0.jar", "vul_project": "jooby-project/pac4j-starter", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "jooby-1.6.6.jar", "vul_project": "paul-hammant/SvnMerkleizer", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "jooby-1.6.0.jar", "vul_project": "Persilla/termodata", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "jooby-1.2.3.jar", "vul_project": "abdikaalbiyan/TA2", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "jooby-1.4.0.jar", "vul_project": "shuhaibofficial/killbill-purchase-plugin", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "jooby-1.2.3.jar", "vul_project": "ludmiloff/jooby-adminpanel-starter", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "jooby-1.5.0.jar", "vul_project": "jooby-project/livereload-starter", "file": "Jooby", "method": "get", "params": "String path,Route.Handler handler"}
{"jar": "undertow-servlet-1.4.21.Final.jar", "vul_project": "Java-Publications/vaadin-005-helloworld-03", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange"}
{"jar": "undertow-servlet-1.4.16.Final.jar", "vul_project": "Java-Publications/vaadin-011-helloworld-09", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.1.1.Final.jar", "vul_project": "dev-fringe/undertow-jsp", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.0.1.Final.jar", "vul_project": "DominicWatson/embedded-lucee-undertow-factory", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.21.Final.jar", "vul_project": "Java-Publications/vaadin-006-helloworld-04", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.0.1.Final.jar", "vul_project": "cadywsq/Social_Network_Mini_Site", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.21.Final.jar", "vul_project": "Java-Archive/vaadin-dev-environment-demo-vaadin-selenium", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.20.Final.jar", "vul_project": "liningwonder/undertow-portal", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.12.Final.jar", "vul_project": "shunyaorad/undertow-test", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.2.11.Final.jar", "vul_project": "cadywsq/Cloud-Computing_Twitter-Analytics_MySQL", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.21.Final.jar", "vul_project": "Java-Publications/vaadin-005-helloworld-03", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.15.Final.jar", "vul_project": "razvanpaulp/micro-reference-project", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.23.Final.jar", "vul_project": "massyu/iri", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.3.23.Final.jar", "vul_project": "marcusviniciusfs/decora", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.21.Final.jar", "vul_project": "jvwilge/http2-undertow", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.23.Final.jar", "vul_project": "yangjinhe/jcqrobot", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.0.17.Final.jar", "vul_project": "zsoltlengyelit/pallas", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.28.Final.jar", "vul_project": "essentialprogramming/graphql-undertow", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.22.Final.jar", "vul_project": "Java-Events/20171026_JCon2017-PWA", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.3.18.Final.jar", "vul_project": "lupx/15619", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.15.Final.jar", "vul_project": "essentialprogramming/undertow-httpexchange", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.28.Final.jar", "vul_project": "essentialprogramming/undertow-spring-jaxrs-web", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.3.Final.jar", "vul_project": "barais/ensaiLabServlet", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.15.Final.jar", "vul_project": "gabrielhorgos/undertow-jax-rs-cdi-reactive", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.1.0.Final.jar", "vul_project": "dev-fringe/rest-oauth2", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.15.Final.jar", "vul_project": "essentialprogramming/lmax-car-factory", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.21.Final.jar", "vul_project": "Java-Publications/vaadin-008-helloworld-06", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.1.3.Final.jar", "vul_project": "springboot-community/twitter", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.0.0.Beta32.jar", "vul_project": "lordofthejars/arquillian-undertow", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.16.Final.jar", "vul_project": "Java-Publications/vaadin-014-helloworld-12", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.28.Final.jar", "vul_project": "r4g3g0d/undertow-spring-web-docker", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.22.Final.jar", "vul_project": "douglasluo/picture-yourself", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.12.Final.jar", "vul_project": "iakostrov/Questionnaire", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.28.Final.jar", "vul_project": "essentialprogramming/undertow-spring-starter", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.28.Final.jar", "vul_project": "essentialprogramming/web-essentials", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.28.Final.jar", "vul_project": "rogerit/mossony-server-framework", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.28.Final.jar", "vul_project": "essentialprogramming/undertow-spring-swagger", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.16.Final.jar", "vul_project": "Java-Publications/vaadin-013-helloworld-11", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.20.Final.jar", "vul_project": "yuizho/undertow-sample", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.20.Final.jar", "vul_project": "undertow-io/jastow", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.28.Final.jar", "vul_project": "essentialprogramming/undertow-spring-sse", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.16.Final.jar", "vul_project": "Java-Publications/vaadin-010-helloworld-08", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.1.1.Final.jar", "vul_project": "358287625/boot", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.15.Final.jar", "vul_project": "gabrielhorgos/test-undertow-jax-rs-cdi", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.4.18.Final.jar", "vul_project": "OmarHHM/webChat", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-2.0.13.Final.jar", "vul_project": "figuewang/undertow-example", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}
{"jar": "undertow-servlet-1.0.15.Final.jar", "vul_project": "asouza/vraptor-undertow", "file": "ServletInitialHandler", "method": "handleRequest", "params": "HttpServerExchange exchange", "groupid": "io.undertow"}