Dependencies have open security issues #796
Description
Socket.IO java client version: 2.1.2
Our security scanner flagged 5 CVE's that have known exploits available related to using old dependencies.
Please update the below dependencies:
org.json:json
com.squareup.okio:okio
com.squareup.okhttp3:okhttp
The library com.squareup.okio:okio version 1.15.0 was detected as a nested dependency of io.socket:socket.io-client version 2.1.2 in the Gradle library manager.
The com.squareup.okio:okio library is vulnerable to CVE-2023-3635, which exists in versions < 1.17.6.
The vulnerability was found in the Github Security Advisory with vendor severity: Medium (NVD severity: High).
This vulnerability has a known exploit available. Sources: Jfrog, VulnCheck.
The library org.json:json version 20090211 was detected as a nested dependency of io.socket:socket.io-client version 2.1.2 in the Gradle library manager.
The org.json:json library is vulnerable to CVE-2023-5072, which exists in versions <= 20230618.
The vulnerability was found in the Github Security Advisory with vendor severity: High (NVD severity: High).
This vulnerability has a known exploit available. Sources: Github, VulnCheck.
The library org.json:json version 20090211 was detected as a nested dependency of io.socket:socket.io-client version 2.1.2 in the Gradle library manager.
The org.json:json library is vulnerable to CVE-2022-45688, which exists in versions < 20230227.
The vulnerability was found in the Github Security Advisory with vendor severity: High (NVD severity: High).
This vulnerability has a known exploit available. Sources: Github [1, 2], VulnCheck.
The library com.squareup.okhttp3:okhttp version 3.12.12 was detected as a nested dependency of io.socket:socket.io-client version 2.1.2 in the Gradle library manager.
The com.squareup.okhttp3:okhttp library is vulnerable to CVE-2023-0833, which exists in versions <4.9.2.
The vulnerability was found in the Safety Maven Advisories with vendor severity: Medium (NVD severity: Medium).
This vulnerability has a known exploit available. Sources: Github, VulnCheck.
The library com.squareup.okhttp3:okhttp version 3.12.12 was detected as a nested dependency of io.socket:socket.io-client version 2.1.2 in the Gradle library manager.
The com.squareup.okhttp3:okhttp library is vulnerable to CVE-2021-0341, which exists in versions < 4.9.2.
The vulnerability was found in the Github Security Advisory with vendor severity: High (NVD severity: High).
The vulnerability can be remediated by updating the com.squareup.okhttp3:okhttp library to version 4.9.2 or higher by overriding the dependency version, or by upgrading the direct library io.socket:socket.io-client to a patched version, using gradle --refresh-dependencies.