Vulnerable components are found in current Unity Editor

Hi, guys.
I just found two components with vulnerability in the Unity Editor(2021.3.34f1) using Black Duck scanning. The following is the components and its CVE Identifiers:
Curl:
CVE-2023-46218
CVE-2023-38545

mbed_tls:
CVE-2023-52353
CVE-2024-28960
CVE-2023-43615

And I also checked the third party notice of latest 2021 version(actually I only check version 37 as the latest version 43 doesn’t have any TPN) but the component version of curl and mbed_tls are the same.

And here is my question:

  1. When the curl and mbed_tls in Unity Editor 2021 will be updated to the latest one, which is curl 8.9.1 and mbed_tls 3.6.0. Is there any plan for that?
  2. Since my work involves dealing with the replacement of many vulnerable components, who should I contact next time I encounter similar issue to get it resolved quickly?
  3. Is there any way I can replace the vulnerable components of Unity Editor by myself?

Changelogs state libcurl got updated to 8.5.0 in 2021.3.35f1, which takes care of the curl issues, and mbedtls got updated to 2.28.7 in 2021.3.38f1 which deals with CVE-2023-43615 but not the others.

Check Unity’s security page for information on reporting.

I can only comment regarding curl vulnerabilities:
CVE-2023-46218 should be fixed, latest Unity versions use curl 8.5.0
CVE-2023-38545 should be fixed too, as that one is listed as fixed in 8.4.0

Thanks for the support. I will then go for help from Unity support related to these uncoverd vulerability issues.

Thanks. The latest version should work on the crul-related vulnerability.

And could you also tell me where to check this third party notice? Because I can only found this TPN of some relative old version. The TPN info for the latest version is always empty in the version info.

Help → Software Licenses.