NIM_Android_SDK icon indicating copy to clipboard operation
NIM_Android_SDK copied to clipboard
verified publisher icon netease-im

The known vulnerability in the shared library ffmpeg which NIM_Android_SDK depends on.Can you help upgrade to patch versions?

Open HelenParr opened this issue 3 years ago • 0 comments

Hi, @winniexuwen , @yunxinusecase , I'd like to report a vulnerability issue in com.netease.nimlib.flutter:nrtc:8.6.5.

Issue Description

com.netease.nimlib.flutter:nrtc:8.6.5 directly or transitively depends on 12 C libraries (.so) cross many platforms(such as x86-64, x86, arm64, armhf). However, I noticed that some C libraries are vulnerable, containing the following CVEs:

libnrtc_sdk.so from C project ffmpeg(version:4.2.1) exposed 10 vulnerabilities: CVE-2021-38093, CVE-2021-38094, CVE-2020-20898, CVE-2020-20892, CVE-2021-38092, CVE-2021-38090, CVE-2021-38091, CVE-2020-20902, CVE-2020-20896, CVE-2020-20891

Suggested Vulnerability Patch Versions

ffmpeg has fixed the vulnerabilities in versions >=4.4.1

Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please upgrade the above shared libraries to their patch versions?

Thanks for your help~ Best regards, Helen Parr

HelenParr avatar Apr 20 '22 13:04 HelenParr