Hi Team,
Creating this issue based on the below conversion in Google Ad Manager API Forum. Please review the conversation and fix the issue. Thanks!

Conversion link - https://groups.google.com/g/google-doubleclick-for-publishers-api/c/SWJtKCQY04M

---

Hi Team,

We are using GAM API for automation testing and synk is used to check the vulnerability/issues in the code. After upgrading the API version from 4.18.0 to 5.1.0 for below dependencies, getting few security risks. Can you please review and fix those issues?. Please let us know if any other suggestions.

Dependency used:

com.google.api-ads ads-lib 5.1.0 com.google.api-ads dfp-axis 5.1.0

Vulnerability details:

org.apache.httpcomponents:httpclient Information Exposure
Fixed in
org.apache.httpcomponents:httpclient@4.1
Exploit maturity
NO KNOWN EXPLOIT
Show less detail
Detailed paths
Introduced through: com.paramount.qetech:qetech-ads...@1.0.32 › com.google.api-ads:dfp-...@4.19.0 › com.google.api-ads:ads-li...@4.19.0 › com.google.http-client:google-ht...@1.23.0 › org.apache.httpcomponents:httpc...@4.0.1
Security information

More details available in above conversation link.

2. org.apache.httpcomponents:httpclient Directory Traversal

Introduced through
com.google.api-ads:dfp-...@4.19.0
Fixed in
org.apache.httpcomponents:httpc...@4.5.3
Exploit maturity
NO KNOWN EXPLOIT
Show less detail
Detailed paths
Introduced through: com.paramount.qetech:qetech-ads...@1.0.32 › com.google.api-ads:dfp-...@4.19.0 › com.google.api-ads:ads-li...@4.19.0 › com.google.http-client:google-ht...@1.23.0 › org.apache.httpcomponents:httpc...@4.0.1
Security information

More details available in above conversation link.

---

Response from Google Ad manager support :

Hi,

Thank you for contacting the Ad Manager API support team.

Based on the information provided, I understand that after upgrading the API version, you are noticing vulnerability/issues in the code. Could you please provide us with the following details.
UserService.getCurrentUser (if unable, you may just provide the email address used to make API requests).
Complete SOAP request and response logs from API (SOAP logging must be enabled).
Network code.
Client library which you are using.
You can send the details via Reply privately to the author option, or direct private reply to this email.

---

Reply for above response:

Hi,
Thank you for the response.
 
To add more clarity to this issue, we are NOT noticing any vulnerabilities/issues in the code. Tests are working fine.   But, in my organization, we have Snyk tool to highlight the security vulnerability issues in client libraries/dependency used. This Snyk tool is highlighting above issues in client library file 'com.google.api-ads:dfp-axis@5.1.0 '.   This is Java - Maven client library
 
com.google.api-ads:dfp-axis@5.1.0 client library is using  another dependency with version 'org.apache.httpcomponents:httpclient@4.0.1'  which having issues.  Snyk tool is suggesting that version need to be upgraded to 'org.apache.httpcomponents:httpclient@4.5.3' to fix these issues.  Please review and let us know suggestions.

---

After this GAM API support team asked to create an issue here. Please let us know if more information is required on this.