Closed apupier closed 8 months ago
Hi @apupier
In the #1212, we bumped jose4j
to version 0.9.3 and this changes available from Box Java SDK from version 4.6.1.
If you are using an older version, please upgrade and check if the issue still remain.
Thankyou.
hum, I reported it wrongly and mixed CVEs. Sorry. There is a new one https://security.snyk.io/vuln/SNYK-JAVA-ORGBITBUCKETBC-6139942 which is fixed in 0.9.4
Hi @apupier, Java SDK with the change is now released. Is should be available in Maven soon. Best, @lukaszsocha2
Is your feature request related to a problem? Please describe.
jose4j is vulnerable to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31582 , I have no idea if box is vulnerable too or only affected due to transitive dependency.
Describe the solution you'd like
It would be nice to upgrade to a newer version.
Describe alternatives you've considered
Additional context