You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 30, 2024. It is now read-only.
We are using OWASP scan for checking dependency security vulnerabilities. java-server-sdk:4.12.0 version has shaded com.squareup.okhttp3:okhttp:3.8.1 client. Scan raises issue with CVE-2018-20200
We have strict policy for suppressing vulnerabilities.
Do you consider to update okhttp3 library in java-server-sdk in near future?
The text was updated successfully, but these errors were encountered:
Yes— however, it's unclear that updating OkHttp makes any real difference. While the linked CVE page mentions a maximum version of 3.12.0 for this issue, it doesn't look like there were any changes made for this in 3.12.1 or any later version; the discussion on the corresponding GitHub issue concluded that there was no action to take, since this theoretical attack would require having such a degree of control over the device and the application that the attacker would be able to interfere with network traffic no matter what OkHttp did. This is why the CVE page describes it as "disputed".
So, while we can and will update the OkHttp version to 3.12.10 in the next release, that is really just on general principle and doesn't necessarily mean this aspect of OkHttp's behavior has changed at all. Since the CVE was defined with an upper limit of 3.12.0 (I'm still not sure why— possibly that's just the highest version that they had tested at that time, and it looks like someone was planning to update the entry but never got around to it), that will probably make your scanner stop complaining, but I just wanted to be clear that this is probably arbitrary and we do not think there was a meaningful vulnerability.
We are using OWASP scan for checking dependency security vulnerabilities.
java-server-sdk:4.12.0
version has shadedcom.squareup.okhttp3:okhttp:3.8.1
client. Scan raises issue with CVE-2018-20200We have strict policy for suppressing vulnerabilities.
Do you consider to update
okhttp3
library injava-server-sdk
in near future?The text was updated successfully, but these errors were encountered: