Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Medium severity vulnerability is detected in org.bouncycastle transitive dependency #467

Closed
rover886 opened this issue Jul 14, 2023 · 3 comments
Closed

Security: Medium severity vulnerability is detected in org.bouncycastle transitive dependency #467

rover886 opened this issue Jul 14, 2023 · 3 comments
Labels
Priority-Medium security
Milestone
8.1.3

Comments

@rover886
Copy link
Contributor

Our project's snyk scan started failing due to below Medium severity vulnerability in org.bouncycastle:bcprov-jdk15to18@1.70.

Issues with no direct upgrade or patch:
✗ Information Exposure [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-5771489] in org.bouncycastle:bcprov-jdk15to18@1.70
introduced by emailconnectorapp:Implementation@1.0.0 > org.simplejavamail:smime-module@8.0.0 > org.simplejavamail:utils-mail-smime@2.0.1 > org.bouncycastle:bcjmail-jdk15to18@1.70 > org.bouncycastle:bcprov-jdk15to18@1.70 and 2 other path(s)
This issue was fixed in versions: 1.74

Though we are using smime-module version 8.0.0 but I also checked for version 8.1.2 (https://mvnrepository.com/artifact/org.simplejavamail/smime-module/8.1.2) which refers to org.simplejavamail » utils-mail-smime version 2.1.1 which further refers to org.bouncycastle » bcjmail-jdk15to18 version 1.70.

bcjmail-jdk15to18 dependency should be upgraded to 1.75 to remove the vulnerability. Is there any plan for this fix?
@bbottema bbottema changed the title Medium severity vulnerability is detected in org.bouncycastle transitive dependency Security: Medium severity vulnerability is detected in org.bouncycastle transitive dependency Jul 14, 2023
bbottema added a commit that referenced this issue Jul 14, 2023
@bbottema
#467: updated smime dependency to deal with https://security.snyk.io/…
cd2ac4b 
…vuln/SNYK-JAVA-ORGBOUNCYCASTLE-5771489
@bbottema
Copy link
Owner

Fix released in v8.1.3. Thank you for bringing this to my attention!

@bbottema bbottema added this to the 8.1.3 milestone Jul 14, 2023
@rover886
Copy link
Contributor Author

rover886 commented Jul 26, 2023
edited by bbottema

Hi @bbottema Thanks for taking this on priority and releasing a new version really fast. After taking new version we observed one thing and hence need your suggestion on that.

Previously when we are using version 8.0.0 of smime-module of which transitive dependency is bcjmail-jdk15to18 version 1.70, this JAR brings jakarta.mail-api of version mentioned as [2.0,3.0) due to which jakarta.mail-api version 2.1.2 was coming in our classpath.

Now with latest version of bcjmail-jdk15to18 version 1.75 they don't have dependency on jakarta.mail-api and hence now jakarta.mail-api is dependency of utils-mail-smime version 2.1.2 but it is referring to old version 2.0.1.

In short for end consumer application they degrading jakarta.mail-api from 2.1.1 to 2.0.1. This fine right? Just to be sure nothing will fail at runtime due to this degradation? Though our tests after upgrading to version 8.1.3 doesn't give any error but still just confirming this with you.

@bbottema
Copy link
Owner

The main project, Simple Java Mail, tests extensively using Jakarta Mail 2.0.1 (including the S/MIME functionality), so that should be safe for your users to use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority-Medium security
Projects
None yet
Milestone
8.1.3
Development

No branches or pull requests
2 participants
@bbottema @rover886