(only test scope): bcprov-jdk15on package version 1.60 is vulnerable to CVE-2020-15522

Question

(only test scope): bcprov-jdk15on package version 1.60 is vulnerable to CVE-2020-15522

Abderrahman-byte opened this issue 3 years ago · 3 comments

Abderrahman-byte commented 3 years ago

bcprov-jdk15on package must be updated to version 1.70

Answer 1 · 2022-09-09T05:00:46.000Z

@patrickfav Hi there, is this lib still being maintained?

Answer 2 · 2022-09-11T11:01:19.000Z

Hi,

First, thanks for reporting the CVE!

However, this is a non-issue since bcprov-jdk15on is ONLY used in the TEST scope and is not a dependency during runtime.
The test is also just check if the output is compatible with the output of bouncy castle (a regression test so to speak).

I will soon update all the dependencies, therefore also this dependency (need to migrate away from Jcenter).

Answer 3 · 2023-02-11T15:35:23.000Z

This warning is now fixed with 0.10.0