Giters

bbottema / simple-java-mail

Simple API, Complex Emails (Jakarta Mail smtp wrapper)

Home Page:http://www.simplejavamail.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Security: Medium severity vulnerability is detected in org.bouncycastle transitive dependency

rover886 opened this issue · comments

commented

Our project's snyk scan started failing due to below Medium severity vulnerability in org.bouncycastle:bcprov-jdk15to18@1.70.

Issues with no direct upgrade or patch:
✗ Information Exposure [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-5771489] in org.bouncycastle:bcprov-jdk15to18@1.70
introduced by emailconnectorapp:Implementation@1.0.0 > org.simplejavamail:smime-module@8.0.0 > org.simplejavamail:utils-mail-smime@2.0.1 > org.bouncycastle:bcjmail-jdk15to18@1.70 > org.bouncycastle:bcprov-jdk15to18@1.70 and 2 other path(s)
This issue was fixed in versions: 1.74

Though we are using smime-module version 8.0.0 but I also checked for version 8.1.2 (https://mvnrepository.com/artifact/org.simplejavamail/smime-module/8.1.2) which refers to org.simplejavamail » utils-mail-smime version 2.1.1 which further refers to org.bouncycastle » bcjmail-jdk15to18 version 1.70.

bcjmail-jdk15to18 dependency should be upgraded to 1.75 to remove the vulnerability. Is there any plan for this fix?

commented

Fix released in v8.1.3. Thank you for bringing this to my attention!

commented

Hi @bbottema Thanks for taking this on priority and releasing a new version really fast. After taking new version we observed one thing and hence need your suggestion on that.

Previously when we are using version 8.0.0 of smime-module of which transitive dependency is bcjmail-jdk15to18 version 1.70, this JAR brings jakarta.mail-api of version mentioned as [2.0,3.0) due to which jakarta.mail-api version 2.1.2 was coming in our classpath.

Now with latest version of bcjmail-jdk15to18 version 1.75 they don't have dependency on jakarta.mail-api and hence now jakarta.mail-api is dependency of utils-mail-smime version 2.1.2 but it is referring to old version 2.0.1.

In short for end consumer application they degrading jakarta.mail-api from 2.1.1 to 2.0.1. This fine right? Just to be sure nothing will fail at runtime due to this degradation? Though our tests after upgrading to version 8.1.3 doesn't give any error but still just confirming this with you.

commented

The main project, Simple Java Mail, tests extensively using Jakarta Mail 2.0.1 (including the S/MIME functionality), so that should be safe for your users to use.