[security] Outdated Vulnerable Dependencies

[duglin]

Description

Multiple outdated dependencies with publicly known vulnerabilities, including multiple high- and medium-risk vulnerabilities, were identified in the Java SDK. The open-source snyk tool was used to automatically audit each module. Due to time constraints and ease of remediation, exploitability of these issues within the context of the SDK was not manually reviewed.
A list of Java SDK modules and their vulnerable dependencies is provided below:

Exploit Scenario

Attackers identified vulnerable dependencies by observing the public GitHub repository of the SDK. They can then craft malicious requests (HTTP, event, etc.) that will be processed by SDK APIs to exploit these issues.

Recommendations

Short term, upgrade all outdated third-party dependencies used in the SDK.
Long term, outdated and vulnerable dependencies should be automatically and continuously highlighted as part of the CI/CD pipeline. Alternatively, developers can configure GitHub actions that warns developers when new security updates are available for dependencies.

[duglin]

This was opened due to the Trail of Bits security review

[duglin]

@pierDipi is this something you might be able to take a look at? I'd like to close all "security" issues

[duglin]

@pierDipi see: #492

Decided to try myself :-)