[Bug]

[VDPcker]

Search before asking

• I searched the issues and found no similar issues.

DSS Component

dss-appconn

What happened + What you expected to happen

Hello! I find a vulnerable dependency in your project, and I find its vulnerable method can be easily accessed from your project. Therefore, maybe you need to upgrade this dependency.

• CVE_ID: CVE-2022-22965
• Vulnerable dependency: org.springframework:spring-beans
• Your invocation path to the vulnerable method:

com.webank.wedatasphere.dss.appconn.dolphinscheduler.conversion.WorkflowToDolphinSchedulerRelConverter:convertWorkflow(com.webank.wedatasphere.dss.appconn.dolphinscheduler.entity.DolphinSchedulerConvertedRel)
⬇️
org.springframework.beans.BeanUtils:copyProperties(java.lang.Object,java.lang.Object)
⬇️
...
⬇️
org.springframework.beans.CachedIntrospectionResults:<init>(java.lang.Class)

Hope this can help you! 😄

Relevent platform

More information here:

1. Github advisory: GHSA-36p3-wjmg-h94x
2. NVD: https://nvd.nist.gov/vuln/detail/cve-2022-22965

Reproduction script

I haven't triggered this vulnerability yet, while I found along the call chain to the vulnerable function, there exist few constraints, which means it can be easily accessed, therefore I think it is better for you to take an upgrade. Thanks! 😄

Anything else

No response

Are you willing to submit a PR?

• Yes I am willing to submit a PR!