最近安全漏洞升级 自己用 maven插件 

dependency-check-maven

试了下 

发现这个漏洞修复是cos包的

有其他升级过的大佬指教下这个咋解决嘛

PS: 关联项目不好找 jfinal-undertow    先用jfinal挂名

Summary

Display: Showing Vulnerable Dependencies (click to show all)

Dependencies

jfinal-undertow-2.1.jar

Description:

jfinal undertow

License:

The Apache Software License, Version 2.0: http://apache.org/licenses/LICENSE-2.0.txt

File Path: D:\maven\repository\com\jfinal\jfinal-undertow\2.1\jfinal-undertow-2.1.jar
MD5: d1c27405af709c8adb7dfc78de4addde
SHA1: 40c1e2f7b830a5ba4b6d33dd36fbbd19eae530f2
SHA256:ff946d70ada9d514c0f93bee601c056c9974526f09f153115db704aedb1c69a0
Referenced In Project/Scope:demo:compile

Evidence

Identifiers

• pkg:maven/com.jfinal/jfinal-undertow@2.1  (Confidence

  :High)

• cpe:2.3:a:jfinal:jfinal:2.1:*:*:*:*:*:*:*  (Confidence

  :Highest) 

  suppress

Published Vulnerabilities

CVE-2019-17352  suppress

In JFinal cos before 2019-08-13, as used in JFinal 4.4, there is a vulnerability that can bypass the isSafeFile() function: one can upload any type of file. For example, a .jsp file may be stored and almost immediately deleted, but this deletion step does not occur for certain exceptions.

CWE-434 Unrestricted Upload of File with Dangerous Type

CVSSv2:

• Base Score: MEDIUM (5.0)
• Vector: /AV:N/AC:L/Au:N/C:N/I:N/A:N

CVSSv3:

• Base Score: HIGH (7.5)
• Vector: /AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References:

• MISC - 

  https://gitee.com/jfinal/cos/commit/5eb23d6e384abaad19faa7600d14c9a2f525946a

• MISC - 

  https://gitee.com/jfinal/cos/commit/8d26eec61f0d072a68bf7393cf3a8544a1112130

• MISC - 

  https://github.com/jfinal/jfinal/issues/171

Vulnerable Software & Versions:

• cpe:2.3:a:jfinal:jfinal:*:*:*:*:*:*:*:* versions up to (excluding) 4.4