Closed Ansa89 closed 7 months ago
Has this been reported upstream to the Duo library as well?
I didn't report this upstream, and I don't know if anyone did.
IMHO Duo devs are already aware of this, but they assigned a low score to the vulnerability and didn't fix that (please note that these are just my personal speculations without any evidence to support them).
Also, given that the vulnerability requires an instance of GzipSource
, there is a remote chance for duo-universal-sdk
to not be impacted (although, I wonder if neither duo-universal-sdk
, nor OkHttp
are using GzipSource
internally).
The Duo lib
duo-universal-sdk
contains a transitive vulnerability inherited from the libraryOkHttp:3.14.9
.The vulnerability is CVE-2023-3635.
Adding a more recent version of
OkHttp
topom.xml
(before the Duo library) prevents loading the vulnerable one.