Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove org.apache.httpcomponents:httpclient-win from Spring Boot #33219

Closed
ManjunathMS35 opened this issue Nov 16, 2022 · 3 comments
Closed

Remove org.apache.httpcomponents:httpclient-win from Spring Boot #33219

ManjunathMS35 opened this issue Nov 16, 2022 · 3 comments
Labels
status: declined A suggestion or change that we don't feel we should currently apply

Comments

@ManjunathMS35
Copy link

Hi,

The org.apache.httpcomponents:httpclient-win comes with the vulnerable jna-platform and this is fixed in org.apache.httpcomponents.client5:httpclient5-win, in Spring boot both of these dependencies are available for users. Does it make sense to keep only the httpclient5? and remove the vulnerable httpclient-win ?

Kind regards,
Manjunath

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 16, 2022
@bclozel
Copy link
Member

bclozel commented Nov 16, 2022

Could you elaborate a bit on this vulnerability? Could you share the CVE ID?

@bclozel bclozel added the status: waiting-for-feedback We need additional information before we can continue label Nov 16, 2022
@ManjunathMS35
Copy link
Author

There is no CVE ID I could find. This was reported by WhiteSource with the below description:

JNA prior to 5.0.0 was discovered to contain an out-of-bounds read. Advapi32Util.registryGetValues does not terminate the returned string with null terminators. When it tries to identify the string content it searches for the next null-terminator and will read out-of-bounds of the buffer.

Related links: java-native-access/jna#340 , java-native-access/jna@12493ba

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Nov 16, 2022
@wilkinsona
Copy link
Member

Spring boot both of these dependencies are available for user

Spring Boot only manages the version of httpclient-win as it's part of the Apache HTTP Client and we try to provide dependency management for every module in a library. Managing a dependency doesn't make it available. An application must still add the dependency to their build.

remove the vulnerable httpclient-win

Removing dependency management for httpclient-win won't prevent an application from depending on it and it may break someone's build. Thanks for the suggestion, but I think we should leave things as they are.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Nov 16, 2022
@wilkinsona wilkinsona added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Nov 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Development

No branches or pull requests

4 participants