Security vulnerability in transitive dependency OkIo < 3.4.0 in com.squareup.okhttp3:okhttp:4.10.0, upgrade okhttp to 4.12.0

esther-fatehi commented 7 months ago

[x] I have checked that the SDK documentation doesn't solve my issue.
[x] I have checked that the API documentation doesn't solve my issue.
[x] I have searched the Box Developer Forums and my issue isn't already reported (or if it has been reported, I have attached a link to it, for reference).
[x] I have searched Issues in this repo and my issue isn't already reported.

Description of the Issue

In com.squareup.okhttp3:okhttp:4.10.0, there is a transitive dependency OkIo that has a high security vulnerability (7.5) . OkiO has this vulnerability in versions < 3.4.0. This is fixed in okhttp upgrade in com.squareup.okhttp3:okhttp:4.12.0.

CVE for OkiO: https://nvd.nist.gov/vuln/detail/CVE-2023-3635

Steps to Reproduce

OkiO is still on vulnerable version 3.2.0 on okhttp version 4.11.0 - https://central.sonatype.com/artifact/com.squareup.okhttp3/okhttp/4.11.0
See the OkiO has been upgraded > 3.4.0 here on okhttp version 4.12.0: https://central.sonatype.com/artifact/com.squareup.okhttp3/okhttp/4.12.0
Box Java SDK is on vulnerable version of okhttp 4.10.0: https://github.com/box/box-java-sdk/blob/main/build.gradle

Expected Behavior

Expect that com.squareup.okhttp3:okhttp is upgraded to version 4.12.0

Error Message, Including Stack Trace

N/A

Screenshots

N/A

Versions Used

Java SDK: Java:

congminh1254 commented 7 months ago

Hi @esther-fatehi

We have just bumped the okhttp version and it should be included in the next version of Box Java SDK.

Thank you.

esther-fatehi commented 7 months ago

@congminh1254 Thank you so much!

box / box-java-sdk