CVE-2023-33201 is caused by obsolete versions of bouncy-castle used in box-java-sdk #1235
Assignees
Labels
bug
Added to issues that describes SDK bug
Comments
jimshowalter
assigned antusus, arjankowski, bartlomiejleszczynski, lukaszsocha2, mhagmajer and mwwoda
lukaszsocha2
added a commit
that referenced
this issue
Feb 23, 2024
…stle:bcpkix-jdk18on:1.77` Fixes: #1235
|
The fix was released in version v4.8.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Box Java SDK is affected by https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33201.
It comes from these dependencies:
The fixes are in these artifacts:
Note the change to the artifact IDs. The bouncy-castle release notes say this is merely a change to jar packaging, and requiring a minimum of Java 8 instead of 1.5. There are no changes to the source code.
In our project we did this:
gradle.properties:
bouncyCastleVersion=1.77
build.gradle dependencies:
implementation "org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}"
implementation "org.bouncycastle:bcprov-jdk18on:${bouncyCastleVersion}"
build.gradle dependency resolution:
exclude group: 'org.bouncycastle', module: 'bcpkix-jdk15on'
exclude group: 'org.bouncycastle', module: 'bcprov-jdk15on'
force "org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}"
force "org.bouncycastle:bcprov-jdk18on:${bouncyCastleVersion}"
All of the tests that call box-java-sdk passed, and the CVE is gone.
But it would be nice not to have to do that, and instead upgrade box-java-sdk to use the latest bouncy-castle.
The text was updated successfully, but these errors were encountered: