search

contentful / contentful.java

Java SDK for Contentful's Content Delivery API
https://contentful.github.io/contentful.java/
Apache License 2.0
74 stars 49 forks source link

Version of GSON used has known CVE #284

Closed jaymoid closed 1 year ago

jaymoid commented 1 year ago

Hi,

The version of GSON (2.8.5) used in this library has a known CVE https://nvd.nist.gov/vuln/detail/CVE-2022-25647

[INFO] +- com.contentful.java:java-sdk:jar:10.5.14:compile
[INFO] |  +- com.squareup.retrofit2:retrofit:jar:2.9.0:compile
[INFO] |  +- com.squareup.retrofit2:adapter-rxjava3:jar:2.9.0:compile
[INFO] |  |  \- org.reactivestreams:reactive-streams:jar:1.0.3:compile
[INFO] |  +- com.squareup.retrofit2:converter-gson:jar:2.9.0:compile
[INFO] |  +- io.reactivex.rxjava3:rxjava:jar:3.1.3:compile
[INFO] |  +- com.squareup.okhttp3:okhttp:jar:3.12.12:compile
[INFO] |  |  \- com.squareup.okio:okio:jar:1.15.0:compile
[INFO] |  +- com.google.code.gson:gson:jar:2.8.5:compile

Luckily, this has already been patched by the GSON team https://github.com/google/gson/pull/1991, and included in versions 2.8.9 onwards (see https://github.com/google/gson/releases).

Please can you upgrade to a compatible version that addresses this issue.

Many thanks James

rafalniski commented 1 year ago

Hey,

it's fixed in https://github.com/contentful/contentful.java/releases/tag/v.10.5.15