Comments (2)
makowalski
commented on May 20, 2024
1
Thank you for quick response. I tested java-server-sdk:4.12.1, everything is ok now.
OWASP scan doesn't complain any more.
from java-server-sdk.
eli-darkly
commented on May 20, 2024
Yes— however, it's unclear that updating OkHttp makes any real difference. While the linked CVE page mentions a maximum version of 3.12.0 for this issue, it doesn't look like there were any changes made for this in 3.12.1 or any later version; the discussion on the corresponding GitHub issue concluded that there was no action to take, since this theoretical attack would require having such a degree of control over the device and the application that the attacker would be able to interfere with network traffic no matter what OkHttp did. This is why the CVE page describes it as "disputed".
So, while we can and will update the OkHttp version to 3.12.10 in the next release, that is really just on general principle and doesn't necessarily mean this aspect of OkHttp's behavior has changed at all. Since the CVE was defined with an upper limit of 3.12.0 (I'm still not sure why— possibly that's just the highest version that they had tested at that time, and it looks like someone was planning to update the entry but never got around to it), that will probably make your scanner stop complaining, but I just wanted to be clear that this is probably arbitrary and we do not think there was a meaningful vulnerability.
from java-server-sdk.
Related Issues (20)
- Getting numerous Error posting diagnostic event (giving up permanently): HTTP error 401 (invalid SDK key) HOT 2
- Synk reports the low version of okHttp3 dependency HOT 3
- Vulnerability in snakeyaml HOT 3
- LaunchDarkly Client initialing failed even add LaunchDarkly Certificate to java key store. HOT 9
- Add shaded libraries as dependencies to `-thin` jar HOT 2
- `isInitialized` & `dataStore.isInitialized()` HOT 3
- Please provide ability to `LDClient` in non-blocking manner HOT 4
- fat jar brings in duplicate copy of `launchdarkly-logging` HOT 3
- Allow lazily computed defaultValues in LDClient to improve code readability HOT 6
- java-server-sdk is vulnerable to CVE-2022-1471 RCE HOT 3
- Builder object is not exist in V6 but is taken as an example in the docs HOT 6
- Evaluation can throw when the same segment is used in multiple rules within a single flag HOT 6
- StreamClosedByServerException: Stream closed by server HOT 13
- Vulnerability CVE-2022-1471 is introduced via SnakeYaml 1.32. Upgrading to 2.0 should fix it. HOT 3
- Have a robust in memory datastore fallback when the persistent data store connection is not working HOT 2
- update to guava 32.0.0 to resolve CVE-2023-2976 HOT 6
- ApiException.getMessage throws NullPointerException when IOException occurs HOT 1
- Stream continuously reset HOT 2
- Support for use of java-server-sdk library in GraalVM native image applications HOT 8
- `launchdarkly-java-server-sdk:6.3.0` : causing LdFeatureFlagClient not initialized after '10' seconds! Until we restart the machine intermittently. HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from java-server-sdk.