Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Library Show "Attack Complexity: HIGH", "Attack Vector: NETWORK" And "Integrity Impact: HIGH" #55

Open
DXSpring opened this issue Sep 7, 2023 · 1 comment
Open

Library Show "Attack Complexity: HIGH", "Attack Vector: NETWORK" And "Integrity Impact: HIGH" #55

DXSpring opened this issue Sep 7, 2023 · 1 comment

Comments

@DXSpring
Copy link

DXSpring commented Sep 7, 2023

Cx8fd408ac-dd80 8.1 Inclusion of Functionality from Untrusted Control Sphere vulnerability pending CVSS allocation

I Search About Error:
https://devhub.checkmarx.com/cve-details/Cx8fd408ac-dd80/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea
@immortaly007
Copy link

immortaly007 commented Jun 10, 2024
edited
Loading

The issue comes from the dependency on google xzing 3.4.0, a QR code library, which depends on the vulnerable library (JCommander). Google xzing has an update available in which this issue is resolved, and (at least for my use case) didn't cause any issues.

There is a pull request for this repo doing similar dependency updates.

I added the following to my build.gradle.kts below the line importing this totp library to resolve the issue:

    // Add xzing 3.5.3 to override the (security vulnerable) dependency of totp-spring-boot-starter above
    implementation("com.google.zxing:javase:3.5.3")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@immortaly007 @DXSpring