cybersource-sdk-java icon indicating copy to clipboard operation
cybersource-sdk-java copied to clipboard

Published 20 hours ago verified publisher icon CyberSource

Critical vulnerability found in nested dependency

Open jeff-knurek opened this issue 8 months ago • 0 comments

By using [email protected], that library is importing commons-logging/[email protected] which then has a very old version of log4j in use, with several critical vulnerabilities. The current one that is being raised by our SBOM scanning is https://www.cve.org/CVERecord?id=CVE-2020-9493

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

The lastest httpclient4 version seems to be 4.5.14, which doesn't address the commons-logging library version, but you can maybe try upgrading to httpclient5 https://mvnrepository.com/artifact/org.apache.httpcomponents.client5/httpclient5

NOTE: these log4j vulnerabilities are classified as Critical, which for PCI compliance has a 30 day expected resolution. As a payment provider I hope that this might help escalate the attention of this issue 🤞

jeff-knurek avatar Mar 24 '25 12:03 jeff-knurek