Security: Medium severity vulnerability is detected in org.bouncycastle transitive dependency

[rover886]

Our project's snyk scan started failing due to below Medium severity vulnerability in org.bouncycastle:bcprov-jdk15to18@1.70.

Issues with no direct upgrade or patch:
✗ Information Exposure [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-5771489] in org.bouncycastle:bcprov-jdk15to18@1.70
introduced by emailconnectorapp:Implementation@1.0.0 > org.simplejavamail:smime-module@8.0.0 > org.simplejavamail:utils-mail-smime@2.0.1 > org.bouncycastle:bcjmail-jdk15to18@1.70 > org.bouncycastle:bcprov-jdk15to18@1.70 and 2 other path(s)
This issue was fixed in versions: 1.74

Though we are using smime-module version 8.0.0 but I also checked for version 8.1.2 (https://mvnrepository.com/artifact/org.simplejavamail/smime-module/8.1.2) which refers to org.simplejavamail » utils-mail-smime version 2.1.1 which further refers to org.bouncycastle » bcjmail-jdk15to18 version 1.70.

bcjmail-jdk15to18 dependency should be upgraded to 1.75 to remove the vulnerability. Is there any plan for this fix?

[bbottema]

Fix released in v8.1.3. Thank you for bringing this to my attention!

[rover886]

Hi @bbottema Thanks for taking this on priority and releasing a new version really fast. After taking new version we observed one thing and hence need your suggestion on that.

Previously when we are using version 8.0.0 of smime-module of which transitive dependency is bcjmail-jdk15to18 version 1.70, this JAR brings jakarta.mail-api of version mentioned as [2.0,3.0) due to which jakarta.mail-api version 2.1.2 was coming in our classpath.

Now with latest version of bcjmail-jdk15to18 version 1.75 they don't have dependency on jakarta.mail-api and hence now jakarta.mail-api is dependency of utils-mail-smime version 2.1.2 but it is referring to old version 2.0.1.

In short for end consumer application they degrading jakarta.mail-api from 2.1.1 to 2.0.1. This fine right? Just to be sure nothing will fail at runtime due to this degradation? Though our tests after upgrading to version 8.1.3 doesn't give any error but still just confirming this with you.

[bbottema]

The main project, Simple Java Mail, tests extensively using Jakarta Mail 2.0.1 (including the S/MIME functionality), so that should be safe for your users to use.