Dependency org.apache.tomcat.embed:tomcat-embed-core, leading to CVE problem

[CVEDetect]

Hi, In jwt-spring-security-demo，there is a dependency org.apache.tomcat.embed:tomcat-embed-core:8.5.23 that calls the risk method.

CVE-2018-8014

The scope of this CVE affected version is [,7.0.89),[8.0.0, 8.0.53),[8.5.0, 8.5.32),[9.0.0, 9.0.9)

After further analysis, in this project, the main Api called is <org.apache.catalina.filters.CorsFilter: void handleSimpleCORS(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,javax.servlet.FilterChain)>

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

<org.apache.catalina.filters.CorsFilter: void handleSimpleCORS(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,javax.servlet.FilterChain)>
at <org.apache.catalina.filters.CorsFilter: void doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse,javax.servlet.FilterChain)> (org.apache.catalina.filters.CorsFilter.java:[161, 157]) in /home/wc/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
at <org.apache.catalina.core.ApplicationFilterChain: void internalDoFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse)> (org.apache.catalina.core.ApplicationFilterChain.java:[193]) in /home/wc/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
at <org.apache.catalina.core.ApplicationFilterChain: void doFilter(javax.servlet.ServletRequest,javax.servlet.ServletResponse)> (org.apache.catalina.core.ApplicationFilterChain.java:[166]) in /home/wc/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.23/tomcat-embed-core-8.5.23.jar
at <org.zerhusen.security.JwtAuthenticationTokenFilter: void doFilterInternal(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse,javax.servlet.FilterChain)> (org.zerhusen.security.JwtAuthenticationTokenFilter.java:[70]) in /home/wc/detect/unzip/jwt-spring-security-demo-1.0.0/target/classes

Dependency tree--

[INFO] org.zerhusen:jwt-spring-security-demo:jar:0.2.0
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:1.5.9.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:1.5.9.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:1.5.9.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.9.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:1.5.9.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.1.11:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.1.11:compile
[INFO] |  |  |  +- org.slf4j:jul-to-slf4j:jar:1.7.25:compile
[INFO] |  |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.17:runtime
[INFO] |  +- org.springframework.boot:spring-boot-starter-aop:jar:1.5.9.RELEASE:compile
[INFO] |  |  \- org.aspectj:aspectjweaver:jar:1.8.13:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:1.5.9.RELEASE:compile
[INFO] |  |  +- org.apache.tomcat:tomcat-jdbc:jar:8.5.23:compile
[INFO] |  |  |  \- org.apache.tomcat:tomcat-juli:jar:8.5.23:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:4.3.13.RELEASE:compile
[INFO] |  +- org.hibernate:hibernate-core:jar:5.0.12.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.3.1.Final:compile
[INFO] |  |  +- org.hibernate.javax.persistence:hibernate-jpa-2.1-api:jar:1.0.0.Final:compile
[INFO] |  |  +- org.javassist:javassist:jar:3.21.0-GA:compile
[INFO] |  |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  |  +- org.jboss:jandex:jar:2.0.0.Final:compile
[INFO] |  |  \- org.hibernate.common:hibernate-commons-annotations:jar:5.0.1.Final:compile
[INFO] |  +- org.hibernate:hibernate-entitymanager:jar:5.0.12.Final:compile
[INFO] |  +- javax.transaction:javax.transaction-api:jar:1.2:compile
[INFO] |  +- org.springframework.data:spring-data-jpa:jar:1.11.9.RELEASE:compile
[INFO] |  |  +- org.springframework.data:spring-data-commons:jar:1.13.9.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-orm:jar:4.3.13.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-context:jar:4.3.13.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-tx:jar:4.3.13.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:4.3.13.RELEASE:compile
[INFO] |  |  +- org.slf4j:slf4j-api:jar:1.7.25:compile
[INFO] |  |  \- org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
[INFO] |  \- org.springframework:spring-aspects:jar:4.3.13.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-rest:jar:1.5.9.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-web:jar:1.5.9.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-tomcat:jar:1.5.9.RELEASE:compile
[INFO] |  |  |  +- org.apache.tomcat.embed:tomcat-embed-core:jar:8.5.23:compile
[INFO] |  |  |  |  \- org.apache.tomcat:tomcat-annotations-api:jar:8.5.23:compile
[INFO] |  |  |  +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.23:compile
[INFO] |  |  |  \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:8.5.23:compile
[INFO] |  |  +- org.hibernate:hibernate-validator:jar:5.3.6.Final:compile
[INFO] |  |  |  +- javax.validation:validation-api:jar:1.1.0.Final:compile
[INFO] |  |  |  \- com.fasterxml:classmate:jar:1.3.4:compile
[INFO] |  |  +- org.springframework:spring-web:jar:4.3.13.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-webmvc:jar:4.3.13.RELEASE:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.10:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-core:jar:2.8.10:compile
[INFO] |  \- org.springframework.data:spring-data-rest-webmvc:jar:2.6.9.RELEASE:compile
[INFO] |     \- org.springframework.data:spring-data-rest-core:jar:2.6.9.RELEASE:compile
[INFO] |        +- org.springframework.hateoas:spring-hateoas:jar:0.23.0.RELEASE:compile
[INFO] |        +- org.springframework.plugin:spring-plugin-core:jar:1.2.0.RELEASE:compile
[INFO] |        \- org.atteo:evo-inflector:jar:1.2.2:compile
[INFO] +- org.springframework.boot:spring-boot-starter-mobile:jar:1.5.9.RELEASE:compile
[INFO] |  \- org.springframework.mobile:spring-mobile-device:jar:1.1.5.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:1.5.9.RELEASE:compile
[INFO] |  +- org.springframework:spring-aop:jar:4.3.13.RELEASE:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:4.2.3.RELEASE:compile
[INFO] |  \- org.springframework.security:spring-security-web:jar:4.2.3.RELEASE:compile
[INFO] |     \- org.springframework:spring-expression:jar:4.3.13.RELEASE:compile
[INFO] +- com.h2database:h2:jar:1.4.196:runtime
[INFO] +- io.jsonwebtoken:jjwt:jar:0.7.0:compile
[INFO] +- com.google.code.findbugs:findbugs:jar:3.0.1:compile
[INFO] |  +- net.jcip:jcip-annotations:jar:1.0:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:2.0.1:compile
[INFO] |  +- com.google.code.findbugs:bcel-findbugs:jar:6.0:compile
[INFO] |  +- com.google.code.findbugs:jFormatString:jar:2.0.1:compile
[INFO] |  +- dom4j:dom4j:jar:1.6.1:compile
[INFO] |  |  \- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] |  +- org.ow2.asm:asm-debug-all:jar:5.0.2:compile
[INFO] |  +- org.ow2.asm:asm-commons:jar:5.0.2:compile
[INFO] |  |  \- org.ow2.asm:asm-tree:jar:5.0.2:compile
[INFO] |  |     \- org.ow2.asm:asm:jar:5.0.2:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- com.apple:AppleJavaExtensions:jar:1.4:compile
[INFO] |  \- jaxen:jaxen:jar:1.1.6:compile
[INFO] |  +- org.springframework:spring-core:jar:4.3.13.RELEASE:compile
[INFO]    \- org.springframework.security:spring-security-core:jar:4.2.3.RELEASE:compile
[INFO]       \- aopalliance:aopalliance:jar:1.0:compile

Suggested solutions:

Update dependency version

Thank you very much.

[CVEDetect]

@szerhusenBC
Could please help me check this issue?
May I pull a request to fix it?
Thanks again.