You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /tasks/confluence/pom.xml
Path to vulnerable library: /itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar,/itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar,/itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar
Path to dependency file: /tasks/confluence/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar
Dependency Hierarchy:
okhttp-3.11.0.jar (Root Library)
❌ okio-1.15.0.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
Path to dependency file: /tasks/confluence/pom.xml
Path to vulnerable library: /itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar,/itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar,/itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar
Dependency Hierarchy:
❌ okhttp-3.11.0.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.
An HTTP+HTTP/2 client for Android and Java applications
Library home page: https://github.com/square/okhttp
Path to dependency file: /tasks/confluence/pom.xml
Path to vulnerable library: /itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar,/itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar,/itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - okio-1.15.0.jar
A modern I/O API for Java
Library home page: https://github.com/square/okio
Path to dependency file: /tasks/confluence/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.15.0/okio-1.15.0.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
Publish Date: 2023-07-12
URL: CVE-2023-3635
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635
Release Date: 2023-07-12
Fix Resolution (com.squareup.okio:okio): 1.17.6
Direct dependency fix Resolution (com.squareup.okhttp3:okhttp): 4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - okhttp-3.11.0.jar
An HTTP+HTTP/2 client for Android and Java applications
Library home page: https://github.com/square/okhttp
Path to dependency file: /tasks/confluence/pom.xml
Path to vulnerable library: /itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar,/itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar,/itory/com/squareup/okhttp3/okhttp/3.11.0/okhttp-3.11.0.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.
Publish Date: 2023-09-27
URL: CVE-2023-0833
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-09-27
Fix Resolution: 4.9.2
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: