question related to grpc vulnerabilities

[thismohsin]

• grpc-context jar comes as transitive dependency as shown below, version is flagged with CVE vulnerabilities.
• based on this grpc-context and google-doc fix is available.
• However this library uses older version of jar.
• Is there any plan to update dependency to use latest and address CVE-2023-33953 along with other reported CVE.
• Will appreciate if u can share ur thought/plan/mitigation to address this.

+--- com.google.http-client:google-http-client:1.43.3
|    +--- org.apache.httpcomponents:httpclient:4.5.14 (*)
|    +--- org.apache.httpcomponents:httpcore:4.4.16
|    +--- com.google.code.findbugs:jsr305:3.0.2
|    +--- com.google.errorprone:error_prone_annotations:2.18.0
|    +--- com.google.guava:guava:30.1.1-android -> 31.1-jre (*)
|    +--- com.google.j2objc:j2objc-annotations:2.8
|    +--- io.opencensus:opencensus-api:0.31.1
|    |    \--- io.grpc:grpc-context:1.27.2
|    \--- io.opencensus:opencensus-contrib-http-util:0.31.1
|         +--- io.opencensus:opencensus-api:0.31.1 (*)
|         \--- com.google.guava:guava:29.0-android -> 31.1-jre (*)

[suztomo]

Checking.

[suztomo]

Looking at https://nvd.nist.gov/vuln/detail/CVE-2023-33953, which links to https://www.cve.org/CVERecord?id=CVE-2023-33953, which links to https://cloud.google.com/support/bulletins#gcp-2023-022

Google identified a vulnerability in gRPC C++ Implementations prior to the 1.57 release. This was a Denial-of-Service vulnerability within the gRPC's C++ implementation. These have been fixed in the 1.53.2, 1.54.3, 1.55.2, 1.56.2, and 1.57 releases.

gRPC (C++, Python, Ruby) versions 1.53, 1.54, 1.55, and 1.56 need to upgrade to the following patch releases:

gRPC Java implementation is not affected here.