Android buyer verification SDK contains critical vulneralbility

Hi team,

We have been alerted by our security scanning service that the Square In-App Payments Buyer Verification SDK contains a transitive dependency with a known critical security vulnerability.
Specifically, the vulnerability originates from the Bouncy Castle cryptography library pulled in by the Netcetera 3DS SDK.

Here is the exact dependency path identified in our build:

com.squareup.sdk.in-app-payments:buyer-verification:1.6.8
└─ buyer-verification-internals:1.6.8
└─ com.netcetera.android-3dssdk:3ds-sdk:2.5.1.0
└─ org.bouncycastle:bcprov-jdk15to18:1.77 ← Vulnerable Version

Could you please pass this along to your engineering team so an updated version of the buyer-verification SDK can be released to resolve these critical vulnerabilities?

Thanks

Thank you! I am flagging this with our engineering team now and will report back to you shortly.

Hey @ashley-square , do you have any updates regarding the above?

Confirmed this will be corrected in our next release but I don’t yet have timing. Thank you again for flagging this.