Overriding the vulnerable version of bouncy castle

rapid7 · Nov 6, 2024 · ff97642 · ff97642
1 parent 92c0b69
commit ff97642
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/pom.xml b/pom.xml
@@ -44,7 +44,8 @@
    </distributionManagement>
 
    <properties>
-      <thirdparty.commons-io.version>2.7</thirdparty.commons-io.version>
+      <thirdparty.bouncycastle.version>1.78.1</thirdparty.bouncycastle.version>
+      <thirdparty.commons-io.version>2.14.0</thirdparty.commons-io.version>
       <thirdparty.commons-lang3.version>3.4</thirdparty.commons-lang3.version>
       <thirdparty.guava.version>33.0.0-jre</thirdparty.guava.version>
       <thirdparty.hamcrest.version>1.3</thirdparty.hamcrest.version>
@@ -59,6 +60,13 @@
    </properties>
 
    <dependencies>
+     <!-- the version of bouncycastle in smbj is vulnerable     -->
+     <dependency>
+       <groupId>org.bouncycastle</groupId>
+       <artifactId>bcprov-jdk18on</artifactId>
+       <version>${thirdparty.bouncycastle.version}</version>
+       <scope>runtime</scope>
+     </dependency>
       <!-- 3rdparty dependencies. -->
       <dependency>
          <groupId>commons-io</groupId>