J2V8 icon indicating copy to clipboard operation
J2V8 copied to clipboard
verified publisher icon eclipsesource

Potential secutiry vulnerabilities in the shared library which J2V8 depends on. Can you help upgrade to patch versions?

Open HelenParr opened this issue 3 years ago • 1 comments

Hi, @irbull , @drywolf , I'd like to report a vulnerability issue in com.eclipsesource.j2v8:j2v8:linux_x86_64_4.8.0.

Issue Description

com.eclipsesource.j2v8:j2v8:linux_x86_64_4.8.0 depends on 1 C library(.so). However, I noticed that the C library is vulnerable, containing the following CVEs:

libj2v8_linux_x86_64.so from C project openssl(version:1.0.2j) exposed 4 vulnerabilities: CVE-2021-3712, CVE-2020-1968, CVE-2017-3738, CVE-2019-1552

Suggested Vulnerability Patch Versions

openssl has fixed the vulnerabilities in versions >=1.1.1l

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

HelenParr avatar Apr 22 '22 13:04 HelenParr

J2V8 has dropped support for Windows/Linux/Mac for years. You won't be able to get any updates if you wish for a security patch.

I would suggest you try https://github.com/caoccao/Javet/.

caoccao avatar Apr 22 '22 22:04 caoccao