Hi team,
We have been alerted by our security scanning service that the Square In-App Payments Buyer Verification SDK contains a transitive dependency with a known critical security vulnerability.
Specifically, the vulnerability originates from the Bouncy Castle cryptography library pulled in by the Netcetera 3DS SDK.
Here is the exact dependency path identified in our build:
com.squareup.sdk.in-app-payments:buyer-verification:1.6.8
└─ buyer-verification-internals:1.6.8
└─ com.netcetera.android-3dssdk:3ds-sdk:2.5.1.0
└─ org.bouncycastle:bcprov-jdk15to18:1.77 ← Vulnerable Version
Could you please pass this along to your engineering team so an updated version of the buyer-verification SDK can be released to resolve these critical vulnerabilities?
Thanks