CVE-2023-0833 - Information Exposure in com.squareup.okhttp3:okhttp

[github-actions]

CVE-2023-0833 - Information Exposure in com.squareup.okhttp3:okhttp
com.squareup.okhttp3:okhttp
Introduced through: org.keycloak:[email protected] › io.fabric8:[email protected] › io.fabric8:[email protected] › io.fabric8:[email protected] › com.squareup.okhttp3:[email protected]

Overview

com.squareup.okhttp3:okhttp is a HTTP & HTTP/2 client for Android and Java applications

Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an IllegalArgumentException is thrown whose message includes the full header value.

PoC

package com.launchdarkly.eventsource;

import okhttp3.*;
import org.junit.Test;
import static org.hamcrest.MatcherAssert.*;
import static org.hamcrest.Matchers.*;

public class OkhttpHeaderExceptionTest {
  @Test
  public void invalidHeaderValueIsCapturedInException() throws Exception {
    String password = "very-secret-password";
    String badValue = password + "\n";
    
    try {
      Request req = new Request.Builder().url("http://github.com/path/doesnt/matter")
          .header("Authorization", badValue)
          .build();
    } catch (IllegalArgumentException e) {
      assertThat(e.getMessage(), not(containsString(password)));
    }
  }
}

Remediation

Upgrade com.squareup.okhttp3:okhttp to version 4.9.2 or higher.

References

• GitHub Commit
• GitHub Issue
• RedHat Bugzilla Bug