Uploaded image for project: 'mod-eusage-counter'
  1. mod-eusage-counter
  2. MODEUSCNT-32

okhttp 3 Information Exposure from illegal character in a header

    XMLWordPrintable

Details

    • Leipzig Sprint 152/53
    • Leipzig
    • Related dependency upgrade

    Description

      mod-erm-usage-counter50 has com.squareup.retrofit2:retrofit@2.9.0 dependency that has com.squareup.okhttp3:okhttp@3.14.9 dependency.

      All okhttp 3.x.y versions have an Information Exposure vulnerability when there's an illegal character in a header: https://security.snyk.io/vuln/SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044

      The retrofit maintainers won't upgrade from okhttp 3 to 4: https://github.com/square/retrofit/pull/3767

      Please investigate whether mod-eusage-counter50 is affected by this vulnerability. If not please explain why and close this Jira as "Won't do".

      If mod-eusage-counter50 is affected please make a fix (sanitize header, or replace retrofit with some other library, or ...).

      TestRail: Results

        Attachments

          Activity

            People

              Tino Ryll Tino Ryll
              julianladisch Julian Ladisch
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                TestRail: Runs

                  TestRail: Cases