Receiving security vulnerability in JAVA SDK 1.23.1

Abhinav_Verma · September 22, 2024, 2:58pm

We are receiving snyk vulnerabilities from JAVA SDK 1.23.1. Following are the listed vulnerability

Protobuf-java-util ( 3.22.0 )
Protobuf-java ( 3.21.7 )
So currently we are receiving vulnerability from above dependencies. Snyk is suggesting to use version greater than 3.25.5 but excluding from temporal-sdk and using it explicitly is not working. How to overcome above issue ?

tihomir · October 13, 2024, 9:33am

Could you link associated CVEs for these vulnerabilities?

excluding from temporal-sdk and using it explicitly is not working

this should be possible, can you show your pom/gradle config and how you tried to exclude depends?

Topic		Replies	Views
Vulnerability detected by Snyk in Go SDK Community Support go-sdk	0	579	October 12, 2023
Temporal-sdk java issue with protobuf versioning Community Support	4	204	August 6, 2024
Java SDK: class io.temporal.api.workflowservice.v1.GetSystemInfoRequest tried to access private field com.google.protobuf.AbstractMessage.memoizedSize Community Support	2	235	June 10, 2024
Java sdk upgrade compilation failure Community Support java-sdk	4	844	November 17, 2023
Upgrade out of CVEs Community Support python-sdk , general-impl	1	122	June 3, 2024