search

firebase / firebase-android-sdk

Firebase Android SDK
https://firebase.google.com
Apache License 2.0
2.28k stars 578 forks source link

Firebase crashlytics 19.2.1 still includes CVE-2024-7254 vulnerable library #6534

Open xiaobc-mika opened 4 hours ago

xiaobc-mika commented 4 hours ago

Hello, according to the crashlytics 19.2.1 release notes, CVE-2024-7254 was resolved by updating protobuf.

However it seems a vulnerable version of protobuf-javalite com.google.protobuf:protobuf-javalite:3.10.0 is shaded into androidx.datastore:datastore-preferences-core:1.0.0

|    |    |    +--- com.google.firebase:firebase-crashlytics -> 19.2.1
|    |    |    |    +--- com.google.firebase:firebase-sessions:2.0.6
|    |    |    |    |    +--- androidx.datastore:datastore-preferences:1.0.0
|    |    |    |    |    |    \--- androidx.datastore:datastore-preferences-core:1.0.0

This is being picked up by the OWASP dependency scanner plugin, from the file File Path: /home/runner/.gradle/caches/modules-2/files-2.1/androidx.datastore/datastore-preferences-core/1.0.0/403f64499b9a8994f5f7010329ddd1ee5c919ed5/datastore-preferences-core-1.0.0.jar/META-INF/maven/com.google.protobuf/protobuf-javalite/pom.xml

google-oss-bot commented 4 hours ago

I found a few problems with this issue: