snowflake-ingest-java icon indicating copy to clipboard operation
snowflake-ingest-java copied to clipboard

Published 20 hours ago verified publisher icon snowflakedb

Snyk: snowflake-ingest-java org.bouncycastle:bcprov-jdk18on 1.78 | Snyk ID - SNYK-JAVA-ORGBOUNCYCASTLE-6277381

Open github-actions[bot] opened this issue 10 months ago • 1 comments

Title: Snyk: snowflake-ingest-java org.bouncycastle:bcprov-jdk18on 1.78 Additional information on Snyk can be found here: https://snyk.io/org/snowflakedb-sca-scanning-public-repo/project/decdb8fe-6a6d-465d-9e89-84aa34efb781 Repo: snowflake-ingest-java CVE: Package Type: java Package Name: org.bouncycastle:bcprov-jdk18on Package Version: 1.78 Snyk ID: SNYK-JAVA-ORGBOUNCYCASTLE-6277381 Vulnerability URL: http://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-6277381 Severity: medium Introduced Date: 2024-03-04 Projects with Vulnerability: snowflakedb/snowflake-ingest-java:pom.xml Target File: pom.xml JIRA Ticket: https://snowflakecomputing.atlassian.net/browse/SNOW-1334457

github-actions[bot] avatar Apr 18 '24 00:04 github-actions[bot]

We already upgraded to 1.7.8, but the CVE is not updated to indicate that is the fixed version: https://github.com/bcgit/bc-java/issues/1528

sfc-gh-xhuang avatar Apr 18 '24 05:04 sfc-gh-xhuang

This problem has no released version that solves it, including the latest 1.78 that solved some other issues.

sfc-gh-azagrebin avatar Apr 19 '24 13:04 sfc-gh-azagrebin

The problem is fixed in 1.78 and 1.78.1. It is going to be a while before any CVEs are updated, Mitre is currently having internal issues, apparently due to a data breach, our last request for a CVE-ID for the 1.78 release is still pending, that's over 3 weeks now.

CVE-2024-30171 will be updated to show 1.78 as the fix release.

dghgit avatar Apr 21 '24 02:04 dghgit

Fixed in https://github.com/snowflakedb/snowflake-ingest-java/pull/752

sfc-gh-lsembera avatar May 07 '24 08:05 sfc-gh-lsembera