search

instipod / DuoUniversalKeycloakAuthenticator

Keycloak Authenticator for Duo's new Universal Prompt
GNU General Public License v3.0
50 stars 15 forks source link

Fix duo-universal-sdk transitive vulnerability #23

Closed Ansa89 closed 7 months ago

Ansa89 commented 9 months ago

The Duo lib duo-universal-sdk contains a transitive vulnerability inherited from the library OkHttp:3.14.9.

The vulnerability is CVE-2023-3635.

Adding a more recent version of OkHttp to pom.xml (before the Duo library) prevents loading the vulnerable one.

instipod commented 9 months ago

Has this been reported upstream to the Duo library as well?

Ansa89 commented 9 months ago

I didn't report this upstream, and I don't know if anyone did.

IMHO Duo devs are already aware of this, but they assigned a low score to the vulnerability and didn't fix that (please note that these are just my personal speculations without any evidence to support them).

Also, given that the vulnerability requires an instance of GzipSource, there is a remote chance for duo-universal-sdk to not be impacted (although, I wonder if neither duo-universal-sdk, nor OkHttp are using GzipSource internally).