2 vulnerabilities found in dependency:

[qeinz]

any fixes?

[rogermb]

Hi @qeinz

Both of these CVEs are in the version of bouncycastle that sshj pulls in, but it looks like there's not much to worry about here:

• CVE-2023-33201:

  [...] The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. [...]

  We don't use anything related to LDAP, so we're not affected here.

• CVE-2023-33202:

  This CVE states that it's possible to cause an OutOfMemoryError if you parse a specially-crafted certificate. So it's not even a real security vulnerability, just a possible denial-of-service, and that would only be possible if you're connecting to untrusted TeamSpeak servers using SSH, which you're probably not doing anyway.

I think it's okay to ignore these 2 CVEs for now. I do want to update sshj to a newer version and release a new version of the TS3 API some time soon, but it looks like the current version of sshj, 0.38.0, still uses a version of bouncycastle that has some CVEs in it. Thus, I think it's better if we wait for 0.39.0 to be released, which should ship with clean bouncycastle dependencies 😄

(And yes, I do know that I could just version-manage the bouncycastle dependencies, but I really don't want to bother if there's no real reason for it)

[qeinz]

Alright thx for the Information 🙏