CVE-2023-33953 through io.grpc.* (1.56.1)

Question

CVE-2023-33953 through io.grpc.* (1.56.1)

cdraeger opened this issue a year ago · 3 comments

HI, our OWASP dependency check is failing builds due to https://nvd.nist.gov/vuln/detail/CVE-2023-33953 (https://cloud.google.com/support/bulletins#gcp-2023-022)

I assume updating of io.grpc dependencies to at least 1.56.2 patch version is required. Thanks!

Answer 1 · 2023-08-21T15:32:05.000Z

According to https://cloud.google.com/support/bulletins#gcp-2023-022 the noted vulnerability only applies to the C++ and thereby Python and Ruby (both Python and Ruby use the C++ implementation) implementations of gRPC. The Java gRPC implementation does not use the C++ implementation at all.

Answer 2 · 2023-08-22T08:49:01.000Z

I think you are right, also according to: jeremylong/DependencyCheck#5890

However, then this is a false positive for anyone using the dependency check and your library. But not really your problem then, just for your awareness. Thanks.

Answer 3 · 2023-08-22T14:53:31.000Z

Thanks for the link to the DependencyCheck issue for posterity.