Bump Adyen 3DS2 to v2.2.16+ to solve CVE-2023-33201

Adyen / adyen-android

Adyen Android Drop-in and Components

https://docs.adyen.com/checkout/android

MIT License

119 stars 66 forks source link

Bump Adyen 3DS2 to v2.2.16+ to solve CVE-2023-33201 #1557

Closed igortepavac closed 4 days ago

igortepavac commented 3 weeks ago

Hi, could you please update the Adyen 3DS2 dependency to v2.2.16? It contains a newer version of the Bouncy Castle library (v1.77) which contains a fix for CVE-2023-33201.

The vulnerability was already mentioned in https://github.com/Adyen/adyen-3ds2-android/issues/63.

Thank you!

igortepavac commented 3 weeks ago

Additionally, would it be possible to include the fix also in the 4.x.x version? It would be helpful to not be forced to upgrade to a new major version immediately. Thank you for understanding!

jreij commented 2 weeks ago

Hi @igortepavac, thanks for reaching out! We are already working on this, we'll update this issue once we have a solution.

tkuntubayev commented 2 weeks ago

Hi @igortepavac, To provide a context of CVE-2023-33201 it only affects if there's use of LDAP directory which is not a case for 3DS2 SDK, so it doesn't impact directly. The 3DS2 SDK v2.2.15 should be compatible with bouncycastle versions up to v1.77, that means it could be also updated separately from the app side.

OscarSpruit commented 22 hours ago

@igortepavac we just released 4.13.5 to address this issue. The v5 release will follow later.