Hi, guys.
I just found two components with vulnerability in the Unity Editor(2021.3.34f1) using Black Duck scanning. The following is the components and its CVE Identifiers:
Curl:
CVE-2023-46218
CVE-2023-38545
mbed_tls:
CVE-2023-52353
CVE-2024-28960
CVE-2023-43615
And I also checked the third party notice of latest 2021 version(actually I only check version 37 as the latest version 43 doesn’t have any TPN) but the component version of curl and mbed_tls are the same.
And here is my question:
- When the curl and mbed_tls in Unity Editor 2021 will be updated to the latest one, which is curl 8.9.1 and mbed_tls 3.6.0. Is there any plan for that?
- Since my work involves dealing with the replacement of many vulnerable components, who should I contact next time I encounter similar issue to get it resolved quickly?
- Is there any way I can replace the vulnerable components of Unity Editor by myself?