Transitive dependecy of com.squareup.okhttp3:okhttp:4.9.2 is vulnerable

[bex1111]

Hi!
There is a vulnerability in latest version transitive dependency.
Details:

Dependency maven:com.squareup.okio:okio:2.8.0 is vulnerable

Update to unaffected version 3.4.0

CVE-2023-3635, Score: 5.9

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
Mend Note: The description of this vulnerability differs from MITRE.

Read More: https://www.mend.io/vulnerability-database/CVE-2023-3635

Results powered by Mend.io

[theo-s68]

Hello,

Could you please provide more details ?

After checking the dependency tree it doesn't seem that we are using any affected version:

mvn dependency:tree | grep 'com.squareup.okio' | sort | uniq
[INFO] |  +- com.squareup.okio:okio:jar:3.6.0:compile
[INFO] |  |  \- com.squareup.okio:okio-jvm:jar:3.6.0:compile

Thanks a lot.

[bex1111]

Yes, the current code of the library doesn't contain it. You should push a new version to https://mvnrepository.com/artifact/io.github.binance/binance-connector-java. Because 3.4.1 contains this vulnerability.