Critical Security Severity on 4.9.4

Question

Critical Security Severity on 4.9.4

Boldbayar opened this issue 3 years ago · 2 comments

Hello, I have found the following security issue by scanning with snyk

Provides transitive vulnerable dependency org.bouncycastle:bcprov-jdk15on:1.68

https://advisory.checkmarx.net/advisory/vulnerability/Cxa9261daf-3755/ on dependency

Answer 1 · 2022-09-22T11:58:38.000Z

I see it as well. You can probably fix it by forcing maven/Gradle to use a higher version of the bouncy castle in properties (similarly to upgrading log4j lib - CVE-2021-45105 ) but I don't know if it won't break the library/tests.

Answer 2 · 2022-10-20T22:01:19.000Z

@Boldbayar thank you for this finding, we will look into possibly adding a dependency override.