Closed
Description
Hello, according to the crashlytics 19.2.1 release notes, CVE-2024-7254 was resolved by updating protobuf.
However it seems a vulnerable version of protobuf-javalite com.google.protobuf:protobuf-javalite:3.10.0 is shaded into androidx.datastore:datastore-preferences-core:1.0.0
| | | +--- com.google.firebase:firebase-crashlytics -> 19.2.1
| | | | +--- com.google.firebase:firebase-sessions:2.0.6
| | | | | +--- androidx.datastore:datastore-preferences:1.0.0
| | | | | | \--- androidx.datastore:datastore-preferences-core:1.0.0
This is being picked up by the OWASP dependency scanner plugin, from the file File Path: /home/runner/.gradle/caches/modules-2/files-2.1/androidx.datastore/datastore-preferences-core/1.0.0/403f64499b9a8994f5f7010329ddd1ee5c919ed5/datastore-preferences-core-1.0.0.jar/META-INF/maven/com.google.protobuf/protobuf-javalite/pom.xml