[BUG] Security Vulnerabilities in stripe-3ds2-android Library Due to Outdated Dependencies (CVE-2023-52428 and CVE-2023-33202)

[kevinmuoz]

Summary

Our Android application is facing issues related to identified security vulnerabilities within the stripe-3ds2-android library, which includes outdated dependencies: nimbus-jose-jwt and bouncy castle. These vulnerabilities may lead to potential Denial of Service (DoS) attacks as highlighted by CVE-2023-52428 and CVE-2023-33202.

Installation method

via Gradle dependency

kotlin: 1.9.10
stripe-android: 21.0.1
Gradle: 8.7

Other information

The security vulnerabilities are resolved in:
• nimbus-jose-jwt: Version 9.37.2
• Bouncy Castle: Version 1.73

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-52428
https://nvd.nist.gov/vuln/detail/CVE-2023-33202

[kevinmuoz]

tagging @jaynewstrom-stripe @mshafrir-stripe for input, as they have previously submitted upgrades, thanks!

[jaynewstrom-stripe]

We're in the middle of re certifying our 3DS2 implementation (which is where these dependencies come into play). I've updated the dependencies here: #9611

In the meantime, you can update to the latest versions in your build.gradle, which will remove these warnings for you.

Once certification is complete (and we release out of this repo), this will all be handled automatically for you.