Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Adyen 3DS2 to v2.2.16+ to solve CVE-2023-33201 #1557

Closed
igortepavac opened this issue Apr 11, 2024 · 5 comments · Fixed by #1585 or #1590
Closed

Bump Adyen 3DS2 to v2.2.16+ to solve CVE-2023-33201 #1557

igortepavac opened this issue Apr 11, 2024 · 5 comments · Fixed by #1585 or #1590
Labels
Enhancement Indicates a new feature request Pending release Indicates issue is pending a release to be solved

Comments

@igortepavac
Copy link

Hi, could you please update the Adyen 3DS2 dependency to v2.2.16? It contains a newer version of the Bouncy Castle library (v1.77) which contains a fix for CVE-2023-33201.

The vulnerability was already mentioned in Adyen/adyen-3ds2-android#63.

Thank you!
@igortepavac igortepavac added the Enhancement Indicates a new feature request label Apr 11, 2024
@igortepavac
Copy link
Author

Additionally, would it be possible to include the fix also in the 4.x.x version? It would be helpful to not be forced to upgrade to a new major version immediately. Thank you for understanding!

@jreij
Copy link
Collaborator

jreij commented Apr 12, 2024

Hi @igortepavac, thanks for reaching out! We are already working on this, we'll update this issue once we have a solution.

@tkuntubayev
Copy link
Member

Hi @igortepavac,
To provide a context of CVE-2023-33201 it only affects if there's use of LDAP directory which is not a case for 3DS2 SDK, so it doesn't impact directly. The 3DS2 SDK v2.2.15 should be compatible with bouncycastle versions up to v1.77, that means it could be also updated separately from the app side.

@OscarSpruit OscarSpruit linked a pull request Apr 26, 2024 that will close this issue
Update 3ds2 sdk #1585
Merged
4 tasks
@OscarSpruit OscarSpruit added the Pending release Indicates issue is pending a release to be solved label Apr 29, 2024
@OscarSpruit OscarSpruit linked a pull request Apr 30, 2024 that will close this issue
Update 3DS2 SDK [v4] #1590
Merged
@OscarSpruit
Copy link
Contributor

@igortepavac we just released 4.13.5 to address this issue. The v5 release will follow later.

@igortepavac
Copy link
Author

Thank you everyone!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement Indicates a new feature request Pending release Indicates issue is pending a release to be solved
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update 3ds2 sdk Adyen/adyen-android
Update 3DS2 SDK [v4] Adyen/adyen-android
4 participants
@jreij @igortepavac @tkuntubayev @OscarSpruit