Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-0833 - Information Exposure in com.squareup.okhttp3:okhttp #625

Open
github-actions bot opened this issue Nov 6, 2024 · 0 comments
Open

Comments

@github-actions
Copy link

github-actions bot commented Nov 6, 2024

CVE-2023-0833 - Information Exposure in com.squareup.okhttp3:okhttp
com.squareup.okhttp3:okhttp
Introduced through: org.keycloak:[email protected] › io.fabric8:[email protected] › io.fabric8:[email protected] › io.fabric8:[email protected] › com.squareup.okhttp3:[email protected]

Overview

com.squareup.okhttp3:okhttp is a HTTP & HTTP/2 client for Android and Java applications

Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an IllegalArgumentException is thrown whose message includes the full header value.

PoC

package com.launchdarkly.eventsource;

import okhttp3.*;
import org.junit.Test;
import static org.hamcrest.MatcherAssert.*;
import static org.hamcrest.Matchers.*;

public class OkhttpHeaderExceptionTest {
  @Test
  public void invalidHeaderValueIsCapturedInException() throws Exception {
    String password = "very-secret-password";
    String badValue = password + "\n";
    
    try {
      Request req = new Request.Builder().url("http://github.com/path/doesnt/matter")
          .header("Authorization", badValue)
          .build();
    } catch (IllegalArgumentException e) {
      assertThat(e.getMessage(), not(containsString(password)));
    }
  }
}

Remediation

Upgrade com.squareup.okhttp3:okhttp to version 4.9.2 or higher.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

0 participants