Dependency org.apache.httpcomponents:httpclient, leading to CVE problem

[CVEDetect]

Prerequisites

Please check the FAQ, and search existing issues for similar questions before creating a new issue.YOU MAY DELETE THIS PREREQUISITES SECTION.

• I have checked the FAQ, and issues and found no answer.

Hi, In /quickstart/testapp，there is a dependency **org.apache.httpcomponents:httpclient:jar:4.5.6
** that calls the risk method.

CVE-2020-13956

The scope of this CVE affected version is [,4.5.13)

After further analysis, in this project, the main Api called is org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 6

com.navercorp.pinpoint.testapp.service.remote.HttpRemoteService: get(java.lang.String,java.lang.Class)Ljava.lang.Object; /.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
com.navercorp.pinpoint.testapp.service.remote.HttpRemoteService: execute(org.apache.http.client.methods.HttpUriRequest,java.lang.Class)Ljava.lang.Object; /.m2/repository/jakarta/annotation/jakarta.annotation-api/1.3.5/jakarta.annotation-api-1.3.5.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.client.methods.CloseableHttpResponse; /.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
org.apache.http.impl.client.CloseableHttpClient: execute(org.apache.http.client.methods.HttpUriRequest,org.apache.http.protocol.HttpContext)Lorg.apache.http.client.methods.CloseableHttpResponse; /.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
org.apache.http.impl.client.CloseableHttpClient: determineTarget(org.apache.http.client.methods.HttpUriRequest)Lorg.apache.http.HttpHost; /.m2/repository/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
org.apache.http.client.utils.URIUtils: extractHost(java.net.URI)Lorg.apache.http.HttpHost;

Dependency tree--

[INFO] com.navercorp.pinpoint:pinpoint-quickstart-testapp:jar:2.5.0-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-thymeleaf:jar:2.5.12:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.5.12:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:2.5.12:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.5.12:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.5.12:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] |  |  +- org.springframework:spring-core:jar:5.3.18:compile
[INFO] |  |  |  \- org.springframework:spring-jcl:jar:5.3.18:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.28:compile
[INFO] |  +- org.thymeleaf:thymeleaf-spring5:jar:3.0.15.RELEASE:compile
[INFO] |  |  +- org.thymeleaf:thymeleaf:jar:3.0.15.RELEASE:compile
[INFO] |  |  |  +- org.attoparser:attoparser:jar:2.0.5.RELEASE:compile
[INFO] |  |  |  \- org.unbescape:unbescape:jar:1.1.6.RELEASE:compile
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] |  \- org.thymeleaf.extras:thymeleaf-extras-java8time:jar:3.0.4.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.5.12:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-json:jar:2.5.12:compile
[INFO] |  |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.12.6.1:compile
[INFO] |  |  |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.6:compile
[INFO] |  |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.12.6:compile
[INFO] |  |  +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.12.6:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.12.6:compile
[INFO] |  +- org.springframework:spring-web:jar:5.3.18:compile
[INFO] |  |  \- org.springframework:spring-beans:jar:5.3.18:compile
[INFO] |  \- org.springframework:spring-webmvc:jar:5.3.18:compile
[INFO] |     +- org.springframework:spring-aop:jar:5.3.18:compile
[INFO] |     +- org.springframework:spring-context:jar:5.3.18:compile
[INFO] |     \- org.springframework:spring-expression:jar:5.3.18:compile
[INFO] +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.5.12:compile
[INFO] |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.60:compile
[INFO] |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.60:compile
[INFO] |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.60:compile
[INFO] \- org.apache.httpcomponents:httpclient:jar:4.5.6:compile
[INFO]    +- org.apache.httpcomponents:httpcore:jar:4.4.10:compile
[INFO]    +- commons-logging:commons-logging:jar:1.2:compile
[INFO]    \- commons-codec:commons-codec:jar:1.10:compile

Suggested solutions:

Update dependency version

Thank you very much.