search

box / box-java-sdk

The Box SDK for Java.
http://opensource.box.com/box-java-sdk/
Apache License 2.0
155 stars 186 forks source link

Upgrade jose4j to 0.9.4+ #1224

Closed apupier closed 8 months ago

apupier commented 8 months ago

Is your feature request related to a problem? Please describe.

jose4j is vulnerable to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31582 , I have no idea if box is vulnerable too or only affected due to transitive dependency.

Describe the solution you'd like

It would be nice to upgrade to a newer version.

Describe alternatives you've considered

Additional context

congminh1254 commented 8 months ago

Hi @apupier

In the #1212, we bumped jose4j to version 0.9.3 and this changes available from Box Java SDK from version 4.6.1.

If you are using an older version, please upgrade and check if the issue still remain.

Thankyou.

apupier commented 8 months ago

hum, I reported it wrongly and mixed CVEs. Sorry. There is a new one https://security.snyk.io/vuln/SNYK-JAVA-ORGBITBUCKETBC-6139942 which is fixed in 0.9.4

lukaszsocha2 commented 8 months ago

Hi @apupier, Java SDK with the change is now released. Is should be available in Maven soon. Best, @lukaszsocha2