Details
-
Task
-
Resolution: Done
-
Neutral
-
None
-
BOM 6.2.38
-
None
-
-
Empty show more show less
-
Empty show more show less
-
Yes
Description
https://nvd.nist.gov/vuln/detail/CVE-2023-33953
https://nvd.nist.gov/vuln/detail/CVE-2023-4785
The issue actually concerns the C++ implementations of that library, Java one being unaffected https://cloud.google.com/support/bulletins#gcp-2023-022
The vulnerable gRPC dependency comes transitively via google-http-client > opencensus which are already at their latest version at the time of writing – gRPC fixed the issue in version 1.54.3
Preferably wait for the next google-http-client release to update their own dependencies
https://issuetracker.google.com/issues/296826431?pli=1
[INFO] | +- info.magnolia:magnolia-module-mail:jar:5.6.1-SNAPSHOT:compile [...] [INFO] | | +- com.google.http-client:google-http-client:jar:1.43.3:compile [INFO] | | | +- io.opencensus:opencensus-api:jar:0.31.1:compile [INFO] | | | | \- io.grpc:grpc-context:jar:1.54.1:compile
Checklists
Acceptance criteria