CVE-2023-3635: related to dependency com.squareup.okio:okio-jvm:3.0.0 #1038

johnowl · 2023-08-07T08:54:50Z

Expected behavior

Have no security warnings in my application because microsoft-graph-core is using a vulnerable dependency. There is already a new version without the vulnerability.

Actual behavior

The dependency is vulnerable to a certain attack, according to https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Steps to reproduce the behavior

N/A

ramsessanchez · 2023-10-23T21:55:30Z

Hi @johnowl , thanks for this catch! Will be updating the okhttp3 dependency which takes a dependency on the okio package.

baywet assigned ramsessanchez Aug 8, 2023

baywet added question Further information is requested needs attention labels Aug 8, 2023

ramsessanchez mentioned this issue Oct 23, 2023

Update Dependencies #1251

Merged

ramsessanchez linked a pull request Oct 24, 2023 that will close this issue

Update Dependencies #1251

Merged

ramsessanchez closed this as completed Oct 24, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-3635: related to dependency com.squareup.okio:okio-jvm:3.0.0 #1038

CVE-2023-3635: related to dependency com.squareup.okio:okio-jvm:3.0.0 #1038

johnowl commented Aug 7, 2023

ramsessanchez commented Oct 23, 2023

CVE-2023-3635: related to dependency com.squareup.okio:okio-jvm:3.0.0 #1038

CVE-2023-3635: related to dependency com.squareup.okio:okio-jvm:3.0.0 #1038

Comments

johnowl commented Aug 7, 2023

Expected behavior

Actual behavior

Steps to reproduce the behavior

ramsessanchez commented Oct 23, 2023