CVE-2022-24823 onespan Java sdk
Tuesday, June 27, 2023 at 01:26pmThe onespan Java sdk (sdk-11.51-jar-with-dependencies.jar) contains a version of netty (4.1.74.Final) that has security vulnerability CVE-2022-24823, the sdk-11.51.jar has references to it, and our company (and clients) won't allow it to be deployed with security vulnerabilities.
Netty has it patched from Version 4.1.77.Final onwards.
Can we get a build with the netty patches or is there something else we can do to work around the issue?
Reply to: CVE-2022-24823 onespan Java sdk
Tuesday, June 27, 2023 at 02:10pmHi Kevin,
Thanks for reporting this to us!
I'd like to create a support ticket on your behalf and escalate it to the R&D team.
The 11.51 SDK source code is hosted in this Git branch, you can modify the POM file and make your own maven build, however it's not very suggested to do so.
Duo