I am running an spring boot application with below parent
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.4.2.RELEASE</version>
<type>pom</type>
</dependency>
We have twistlock scan in our organization. It will scan the docker image build by us and report back with the vulnerabilities in the docker image.
When I created a docker image for my application and scanned it using twistlock scan. I have found below vulnerability.
| CVE | Severity | Package | Version | Status | Published | Description |
|---|---|---|---|---|---|---|
| CVE-2020-13956 | Medium | org.apache.httpcomponents_httpclient | 3.1-1.0 | fixed in 5.0.3, 4.5.13 | 84 days | Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. |
| CVE-2020-13956 | Medium | org.apache.httpcomponents_httpclient | 3.0-1.0 | fixed in 5.0.3, 4.5.13 | 84 days | Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. |
| CVE-2020-13956 | Medium | org.apache.httpcomponents_httpclient | 4.0-1.0 | fixed in 5.0.3, 4.5.13 | 84 days | Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution. |
But I saw the effective pom of my application and I found my application is using the below dependency which is not vulnerable
org.apache.httpcomponents_httpclient 4.5.13
I have scanned my base image from dockerhub as well and it is also vulnerability free. I am not sure where this vulnerability is coming from?
Dependency Hierarchy:
