Sec Vuln: com.google.protobuf:protobuf-javalite@3.18.0

TBD54566975 / web5-kt

Apache License 2.0

10 stars 10 forks source link

Sec Vuln: com.google.protobuf:protobuf-javalite@3.18.0 #242

Closed ALRubinger closed 7 months ago

ALRubinger commented 7 months ago

From https://github.com/TBD54566975/web5-kt/actions/runs/7896482454/job/21550530043:

Critical vulnerability detected on com.google.protobuf:protobuf-javalite@3.18.0
  CVE ID: CVE-2022-3509
  Fixed in: 3.19.6

Force resolution to recommended; test this doesn't introduce other issues in the testsuite.

ALRubinger commented 7 months ago

Confirmed before:

./gradlew -q dependencyInsight --dependency protobuf-javalite --configuration tRC -p credentials
com.google.protobuf:protobuf-javalite:3.18.0

ALRubinger commented 7 months ago

Confirmed after fix:

./gradlew -q dependencyInsight --dependency protobuf-javalite --configuration tRC -p credentials
com.google.protobuf:protobuf-javalite:3.19.6 (forced)

In PR #241