Vulnerable dependency

[zharif96]

Hi Google Team,

Please help to use the latest com.squareup.okhttp3 since the current version used (4.10.0) contains vulnerability.

Regards,
Zharif Amin

[richardgarcar]

The reported vulnerability is CVE-2023-3635. A related pull request upgrades the com.squareup.okhttp3:okhttp dependency from 4.11.0 to 4.12.0, which transitively updates com.squareup.okio:okio to version 3.6.0. Could this PR be accepted?

[kim-morgan-clearscore]

I would also like to add that I was unable to use this library due to the following vulnerabilities

grpc-context-1.27.2.jar (pkg:maven/io.grpc/grpc-context@1.27.2, pkg:sbt/io.grpc/grpc-context@1.27.2, cpe:2.3:a:grpc:grpc:1.27.2:::::::*) : CVE-2023-33953, CVE-2023-44487, CVE-2023-4785, CVE-2023-32732

kotlin-stdlib-jdk7-1.5.31.jar (pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.5.31, pkg:sbt/org.jetbrains.kotlin/kotlin-stdlib-jdk7@1.5.31, cpe:2.3:a:jetbrains:kotlin:1.5.31:::::::*) : CVE-2022-24329

kotlin-stdlib-jdk8-1.5.31.jar (pkg:maven/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.5.31, pkg:sbt/org.jetbrains.kotlin/kotlin-stdlib-jdk8@1.5.31, cpe:2.3:a:jetbrains:kotlin:1.5.31:::::::*) : CVE-2022-24329

okio-jvm-3.0.0.jar (pkg:maven/com.squareup.okio/okio-jvm@3.0.0, pkg:sbt/com.squareup.okio/okio-jvm@3.0.0, cpe:2.3:a:squareup:okio:3.0.0:::::::*) : CVE-2023-3635