In A2A 4.12.3 install, a customer's security scanner flagged our cspmclient.jar as vulnerable.  This jar is consumed with in custom A2A java code, is flagged as vulnerable to Command Injections, Cross-site Scripting and Weak Crypto.

A2A 4.12.3

Three kinds of vulnerabilities reported by customer's security scanner, were reviewed by development and advised they are NOT vulnerable:

1. Command injection: This command injection is reported in a class called ProcessPatch. This class checks if there is a new version of the client is available and will download it. For this it checks the version of the client that is present on the file system and the client version present in the server. It executes commands to check the current version on the file system and also after for upgrading the binaries. These commands do not have anything that a user enters. It only has information from the A2A configuration file and the installation path.  Therefore this cannot be exploited.
2. Cross site scripting: This vulnerability is reported the script service class files like HttpRequestScript that takes aliasname, bypassCache as the input and retrieves credentials and senda a html response to the calling software. This response includes userId and password. These details are retrieved from server. It does not have any user input and is not vulnerable.
3. Weak Crypto: This vulnerability is reported in ClientSecurityManagerNonJniImpl class file. This uses AES algorithm without any qualifier and also MD5 message digest. This class is used in a service class called NonJniScriptService class. This class is a servlet that serves requests from the client. The Java program should be using NonJniCspmClient class to send requests to this service class. If the customer is using NonJniCspmClient they will not be impacted. - so double check your code and see if any Java program is consuming ClientSecurityManagerNonJniImpl class