Security Policy

Reporting a Vulnerability

To report a Security issue, you can :

For more details, please look at :

Only Leshan library is concerned. The demos are not covered.

Version	Supported
2.x	✔️
1.x	✔️

Note: ℹ️ 1.x version depends on californium 2.x version where support is not clear.
See : https://github.com/eclipse/californium/security/policy

List of version which are not affected by known vulnerability.

Version
2.0.0-M13 +	✔️
1.5.0 +	✔️

This is an exhaustive list of known security issue affecting leshan library :

CVE/ID	Leshan version concerned	artifacts	Affect
CVE-2023-41034 GHSA-wc9j-gc65-3cm7	2.0.0-M1 -> 2.0.0-M12 1.0.0 -> 1.4.2	leshan-core	if you parse untrusted DDF files (e.g. if they let external users provide their own model),

This is a not exhaustive list of security issue from Leshan dependencies which could affect Leshan :

CVE/ID	Leshan version concerned	Source	Affect
CVE-2022-39368	2.0.0-M1 -> 2.0.0-M8 1.0.0 -> 1.4.1	californium/scandium	any DTLS usage
CVE-2022-2576	2.0.0-M1 -> 2.0.0-M7 1.0.0 -> 1.4.0	californium/scandium	DTLS_VERIFY_PEERS_ ON_RESUMPTION_THRESHOLD > 0
GHSA-fj2w-wfgv-mwq6	2.0.0-M2 -> 2.0.0-M4	com.upokecenter.cbor	CBOR or SenML-CBOR decoding
CVE-2020-27222	1.1.0 -> 1.3.1	californium/scandium	DTLS with x509 and/or RPK
CVE-2021-34433	2.0.0-M1 -> 2.0.0-M4 1.0.0 -> 1.3.1	californium/scandium	DTLS with x509 and/or RPK

Note: We strongly encourage you to switch last safe Leshan version, but for vulnerability caused by a dependency :

then you could try to just update the dependency to a safe compatible version without upgrading Leshan.

This is a not exhaustive list of JVM security issue which could affect common Leshan usages.

Dependency	Affected Version	Usage	Vulnerability	More Information
JDK / JCE	<= 15.0.2? <= 16.0.2? < 17.0.3 < 18.0.1	Cipher Suite based on ECDSA	ECDSA CVE-2022-21449	eclipse-leshan#1243