Outdated package in gecko-dev/mobile/android/fenix/plugins/apksize/build.gradle
Categories
(Firefox for Android :: General, defect)
Tracking
()
People
(Reporter: u771097, Unassigned)
Details
(Keywords: reporter-external)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Steps to reproduce:
Open the build.gradle file located in mobile/android/fenix/plugins/apksize/
Review the list of included package.
Identify the outdated and vulnerable packages, specifically:
org.json:json:20210307
Actual results:
The build.gradle contains outdated versions of package with known security vuln, including:
1.Allocation of Resources Without Limits or Throttling
2.Denial of Service (DoS)
links
1.https://nvd.nist.gov/vuln/detail/CVE-2023-5072
2.https://nvd.nist.gov/vuln/detail/CVE-2022-45688
In maven
20210307 2 vulnerabilities
link to maven https://mvnrepository.com/artifact/org.json/json/20210307
Expected results:
Version must be upgraded to newest its 20250107
|
||
Updated•7 months ago
|
|
||
Comment 1•7 months ago
|
||
This is something we run in automation on code that is in our repository. If an attacker can control what is in our repository, we have bigger problems than a random performance analyzer, so I'm going to unhide this.
|
||
Comment 2•6 months ago
|
||
The severity field is not set for this bug.
:boek, could you have a look please?
For more information, please visit BugBot documentation.
|
|
||
Comment 3•6 months ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox for Android::Browser Engine' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
|
||
Updated•4 months ago
|
|
|
||
Comment 4•3 months ago
|
||
The severity field is not set for this bug.
:calu, could you have a look please?
For more information, please visit BugBot documentation.
|
||
Updated•3 months ago
|
Description
•