Hi,
The org.apache.httpcomponents:httpclient-win comes with the vulnerable jna-platform and this is fixed in org.apache.httpcomponents.client5:httpclient5-win, in Spring boot both of these dependencies are available for users. Does it make sense to keep only the httpclient5? and remove the vulnerable httpclient-win ?
Kind regards, Manjunath
Comment From: bclozel
Could you elaborate a bit on this vulnerability? Could you share the CVE ID?
Comment From: ManjunathMS35
There is no CVE ID I could find. This was reported by WhiteSource with the below description:
JNA prior to 5.0.0 was discovered to contain an out-of-bounds read. Advapi32Util.registryGetValues does not terminate the returned string with null terminators. When it tries to identify the string content it searches for the next null-terminator and will read out-of-bounds of the buffer.
Related links: https://github.com/java-native-access/jna/issues/340 , https://github.com/java-native-access/jna/commit/12493ba771a50fae7d6303e8b58b31eacf903327
Comment From: wilkinsona
Spring boot both of these dependencies are available for user
Spring Boot only manages the version of httpclient-win as it's part of the Apache HTTP Client and we try to provide dependency management for every module in a library. Managing a dependency doesn't make it available. An application must still add the dependency to their build.
remove the vulnerable httpclient-win
Removing dependency management for httpclient-win won't prevent an application from depending on it and it may break someone's build. Thanks for the suggestion, but I think we should leave things as they are.