This does not seem to apply to gRPC Java as that one is a separate codebase.
1.48 does not seem to have this specific vulnerability it is no longer maintained and will not receive fixes if any new issues are discovered. We would recommend you to switch to a more current gRPC version. On Tuesday, August 29, 2023 at 8:28:25 AM UTC-7 Josef Cacek wrote: > Hi, > > Could someone shed light on the affected versions for CVE-2023-32731? > > - The NVD says 1.53.0<=X<1.55.0 ( > https://nvd.nist.gov/vuln/detail/CVE-2023-32731) > - The GHSA says X<1.53.0 including Maven, Pip, and Ruby artifacts ( > https://github.com/advisories/GHSA-cfgp-2977-2fmm) > - The ruby-advisory says X<1.53.1 ( > > https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grpc/CVE-2023-32731.yml > ) > - The Release notes for 1.54.2 say the version contains fixes for the > CVE. (https://github.com/grpc/grpc/releases/tag/v1.54.2) > > If we use version 1.48.0 (grpc-java, and grpcio PIP module) are we > affected? If so, what is the recommended version for upgrade? 1.55.0? > > > Thank you, > > > -- Josef Cacek > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/6aa88fe0-bbe4-4a7d-9b2b-c0106750cf26n%40googlegroups.com.
