workspace-ONE-SDK-integration-samples icon indicating copy to clipboard operation
workspace-ONE-SDK-integration-samples copied to clipboard

Published 20 hours ago verified publisher icon vmware-samples

Update the openssl dependency to avoid problems with vulnerabilities

Open novikov1337danil opened this issue 1 year ago • 1 comments

Describe the bug

I'm using your integration package for flutter v24.2.0. When scanning the application for vulnerabilities, they tell me that the [email protected] library has several vulnerabilities: CVE-2023-5678, CVE-2018-16395, CVE-2016-7798.

Scan details

image

image

Reproduction steps

  1. integrate your SDK package into the flutter application
  2. scan the application for vulnerabilities (for example using the https://ostorlab.co/ service)
  3. see that the application will have several vulnerabilities (including those related to openssl with high-risk, but it would be useful to look at the others, which are of lower priority)

Expected behavior

Using a newer version of the openssl dependency, which is not subject to vulnerabilities

p.s. I didn’t find how I can send this report to you in the “security” section, or by email, so I’m leaving it here

novikov1337danil avatar Mar 18 '24 19:03 novikov1337danil

@novikov1337danil - we are on OpenSSL 1.0.2zi, we have analyzed that the vulnerabilities (High and Medium) reported above are not impacting the flow that we use from the OpenSSL library.

Maddy79 avatar Mar 19 '24 07:03 Maddy79