moip-sdk-java-le icon indicating copy to clipboard operation
moip-sdk-java-le copied to clipboard
verified publisher icon wirecardBrasil

Vulnerable shared library might make mpos-sdk vulnerable. Can you help upgrade to patch versions?

Open HelenParr opened this issue 3 years ago • 0 comments

Hi, @mbnakaya , @caiogaspar , I'd like to report a vulnerability issue in br.com.moip:mpos-sdk:7.0.1.

Issue Description

br.com.moip:mpos-sdk:7.0.1 directly or transitively depends on 20 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that one C library is vulnerable, containing the following CVEs:

libthirdParty.so from C project openssl(version:1.0.2o) exposed 3 vulnerabilities: CVE-2021-3712, CVE-2020-1968, CVE-2019-1552

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

HelenParr avatar Apr 26 '22 09:04 HelenParr