google-maps-services-java icon indicating copy to clipboard operation
google-maps-services-java copied to clipboard
verified publisher icon googlemaps

Vulnerable dependency

Open zharif96 opened this issue 9 months ago • 3 comments

Hi Google Team,

Please help to use the latest com.squareup.okhttp3 since the current version used (4.10.0) contains vulnerability.

Regards, Zharif Amin

zharif96 avatar Apr 30 '25 01:04 zharif96

The reported vulnerability is CVE-2023-3635. A related pull request upgrades the com.squareup.okhttp3:okhttp dependency from 4.11.0 to 4.12.0, which transitively updates com.squareup.okio:okio to version 3.6.0. Could this PR be accepted?

richardgarcar avatar May 15 '25 10:05 richardgarcar

I would also like to add that I was unable to use this library due to the following vulnerabilities

grpc-context-1.27.2.jar (pkg:maven/io.grpc/[email protected], pkg:sbt/io.grpc/[email protected], cpe:2.3:a:grpc:grpc:1.27.2:::::::*) : CVE-2023-33953, CVE-2023-44487, CVE-2023-4785, CVE-2023-32732

kotlin-stdlib-jdk7-1.5.31.jar (pkg:maven/org.jetbrains.kotlin/[email protected], pkg:sbt/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.5.31:::::::*) : CVE-2022-24329

kotlin-stdlib-jdk8-1.5.31.jar (pkg:maven/org.jetbrains.kotlin/[email protected], pkg:sbt/org.jetbrains.kotlin/[email protected], cpe:2.3:a:jetbrains:kotlin:1.5.31:::::::*) : CVE-2022-24329

okio-jvm-3.0.0.jar (pkg:maven/com.squareup.okio/[email protected], pkg:sbt/com.squareup.okio/[email protected], cpe:2.3:a:squareup:okio:3.0.0:::::::*) : CVE-2023-3635

kim-morgan-clearscore avatar May 19 '25 14:05 kim-morgan-clearscore

+1

valcorn-dev avatar Oct 13 '25 13:10 valcorn-dev