search

square / retrofit

A type-safe HTTP client for Android and the JVM
https://square.github.io/retrofit/
Apache License 2.0
43.11k stars 7.3k forks source link

CWE-295 | Improper Certificate Validation #4226

Closed vivek-np closed 1 month ago

vivek-np commented 1 month ago

What kind of issue is this?

CWE-295 | Improper Certificate Validation

-checkmarx Vulnerability detected for Retrofit Converters com.squareup.retrofit2:converter-gson @ 2.11.0

This is happening as internally it depends on com.squareup.okhttp3:okhttp @ 3.14.9

In "verifyHostName" method of "OkHostnameVerifier.java", there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product:

JakeWharton commented 1 month ago

We are not upgrading OkHttp at this time. See https://github.com/square/retrofit/issues/4020#issuecomment-1870586604 for the plan.

You are welcome to upgrade the version of OkHttp in your builds.