CVE-2018-20200 okhttp3 library security vulnerability #187
Comments
|
Yes— however, it's unclear that updating OkHttp makes any real difference. While the linked CVE page mentions a maximum version of 3.12.0 for this issue, it doesn't look like there were any changes made for this in 3.12.1 or any later version; the discussion on the corresponding GitHub issue concluded that there was no action to take, since this theoretical attack would require having such a degree of control over the device and the application that the attacker would be able to interfere with network traffic no matter what OkHttp did. This is why the CVE page describes it as "disputed". So, while we can and will update the OkHttp version to 3.12.10 in the next release, that is really just on general principle and doesn't necessarily mean this aspect of OkHttp's behavior has changed at all. Since the CVE was defined with an upper limit of 3.12.0 (I'm still not sure why— possibly that's just the highest version that they had tested at that time, and it looks like someone was planning to update the entry but never got around to it), that will probably make your scanner stop complaining, but I just wanted to be clear that this is probably arbitrary and we do not think there was a meaningful vulnerability. |
…fixes miscellaneous config fixes and test improvements
|
Thank you for quick response. I tested |
We are using OWASP scan for checking dependency security vulnerabilities.
java-server-sdk:4.12.0version has shadedcom.squareup.okhttp3:okhttp:3.8.1client. Scan raises issue with CVE-2018-20200We have strict policy for suppressing vulnerabilities.
Do you consider to update
okhttp3library injava-server-sdkin near future?The text was updated successfully, but these errors were encountered: