xgouchet
commented
4 months ago Hi @tobi512 , thanks a lot for opening this question.
The vulnerability you're linking to is only relevant when Okio is used in a server to process incoming gzipped requests, which could lead to a Denial of Service. In our case, the SDK is embedded in a mobile app that isn't a server, and this vulnerability doesn't apply, so you can ignore this warning.
tobi512
Question
Hi guys, we recently updated your SDK version (dd-sdk-android) to v2.7.1 and our security vulnerability tool Snyk now reports 2 vulnerabilities introduced by your SDK.
CVE is CVE-2023-3635
The affected dependency is "com.squareup.okio", however it's not obvious which version exactly is used. Updating it to v3.4.0 or higher would fix the problem. Can you please check the usage of the dependency in your SDK and give us a fixed version or detailed information on how to get rid of the vulnerability?
Cheers, Tobias