You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dependency-check is reporting a vulnerability (has been for a while, but I didn't get around to reporting it) in okio, via okhttp. Our partial dependency tree:
[CVE-2023-3635](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3635) suppress
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
CWE-681 Incorrect Conversion between Numeric Types
CVSSv3:
Base Score: HIGH (7.5)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
MISC - https://github.com/square/okio/commit/81bce1a30af244550b0324597720e4799281da7b
MISC - https://research.jfrog.com/vulnerabilities/okio-gzip-source-unhandled-exception-dos-xray-523195/
OSSINDEX - [[CVE-2023-3635] CWE-681: Incorrect Conversion between Numeric Types](https://ossindex.sonatype.org/vulnerability/CVE-2023-3635?component-type=maven&component-name=com.squareup.okio%2Fokio&utm_source=dependency-check&utm_medium=integration&utm_content=8.4.0)
OSSIndex - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3635
OSSIndex - https://github.com/square/okio/pull/1280
Vulnerable Software & Versions:
[cpe:2.3:a:squareup:okio:*:*:*:*:*:*:*:* versions up to (excluding) 3.4.0](https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=cpe%3A%2Fa%3Asquareup%3Aokio)
The folks at okhttp don't seem to want to roll a release to update their okio dependency. We can of course all do it in our own projects, but maybe it would be nice for minio-java to override this dependency to okio 3.5.0?
Thank you for your consideration!
The text was updated successfully, but these errors were encountered:
Hi,
Thanks for minio-java, we enjoy using it!
Dependency-check is reporting a vulnerability (has been for a while, but I didn't get around to reporting it) in okio, via okhttp. Our partial dependency tree:
Dependency-check output:
The folks at okhttp don't seem to want to roll a release to update their okio dependency. We can of course all do it in our own projects, but maybe it would be nice for minio-java to override this dependency to okio 3.5.0?
Thank you for your consideration!
The text was updated successfully, but these errors were encountered: