Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-0341: Use of old (non-maintained) okhttp #170

Open
mrwilby opened this issue Mar 24, 2023 · 3 comments
Open

CVE-2021-0341: Use of old (non-maintained) okhttp #170

mrwilby opened this issue Mar 24, 2023 · 3 comments

Comments

@mrwilby
Copy link

mrwilby commented Mar 24, 2023

The tea library is a transitive dependency of some other aliyun libraries which my company uses.

Unfortunately, this library is using a non-maintained version of okhttp which has a known security vulnerability disclosure:

https://nvd.nist.gov/vuln/detail/CVE-2021-0341

The dependency is from here:
https://github.com/aliyun/tea-java/blob/master/pom.xml#L68

The maintainers of okhttp indicate that they will not patch the v3 library with a correction. However, the more recent 4.x series has been fixed.

Can this library be upgraded and then re-released using okhttp v4 or newer?
@mrwilby
Copy link
Author

mrwilby commented Jul 13, 2023

New vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

@mrwilby
Copy link
Author

mrwilby commented Oct 3, 2023

New vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-0833

@ErkangXu
Copy link

Can we please update the dependency?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ErkangXu @mrwilby