Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Okhttp: CVE-2020-29582 due to old version of Okhttp (Squareup)

See original GitHub issue

When running the OWASP dependency check in a project with okhttp in its dependencies the OWASP check finds the following two vulnerabilities:

kotlin-stdlib-1.3.71.jar: CVE-2020-29582
kotlin-stdlib-common-1.3.70.jar: CVE-2020-29582

According to the NVD (link to CVE-2020-29582) the fix should be present in version 1.4.21 onwards.

The two libraries are used by Okhttp from Squareup.

Feign Okhttp 11.6 uses Okhttp (Squareup) 4.6.0 (April 2020). So this could have already been fixed in Okhttp.

Issue Analytics

State:
Created 2 years ago
Comments:6 (1 by maintainers)

Top GitHub Comments

1reaction

radio-rogalcommented, Oct 13, 2021

I wanted to test the dependency update locally but couldn’t run mvn install on the core submodule (which seems to be needed to build okhttp) successfully due to:
[ERROR] Failed to execute goal com.github.ekryd.sortpom:sortpom-maven-plugin:2.8.0:sort (format) on project feign-core: Could not find /Users/mluedtke/Workspace/github/feign-forked/core/src/config/pomSortOrder.xml or src/config/pomSortOrder.xml in classpath -> [Help 1]
Maybe someone could help me test it locally or verify the change. I pushed it to this branch in my fork. Only this one line changed: https://github.com/moritzluedtke/feign/blob/CVE-2020-29582/pom.xml#L77

I have tested it locally: the build is successful.

@moritzluedtke if you create pull request, the github workflow checks any building errors.

0reactions

moritzluedtkecommented, Nov 9, 2021

Unfortunately this is still an issue with 11.7. But this should be fixed by the OkHttp team at square up. I commented on this issue: https://github.com/square/okhttp/issues/6219

Top Results From Across the Web

CVE-2020-29582 due to old version of Okhttp (Squareup) #1514

When running the OWASP dependency check in a project with okhttp in its dependencies the OWASP check finds the following two ...

com.squareup.okhttp3:okhttp 4.7.2 vulnerabilities | Snyk

com.squareup.okhttp3:okhttp is a HTTP & HTTP/2 client for Android and Java applications. Affected versions of this package are vulnerable to Information ...

Change Log - OkHttp

Fix: Configure the multiplatform artifact ( com.squareup.okhttp3:okhttp:3.x.x ) to depend on the JVM artifact ( com.squareup.okhttp3:okhttp-jvm:3.

OkHttp 3.13 Requires Android 5+ | Square Corner Blog

Today we're releasing OkHttp 3.13. ... project's minSdkVersion is at least 21 and that your Android Gradle Plugin version is at least 3.2....

gradle, is there side effect with exclude on a transitive ...

without it the okhttp will still be using okhttp:4.9.3 since it's the newer version specified in my_lib with the. api "com.squareup.okhttp3: ...