Information Exposure Affecting com.squareup.okhttp3:okhttp package, versions [,4.9.2)
Snyk CVSS
Attack Complexity
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (16th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044
- published 22 Jul 2022
- disclosed 22 Jul 2022
- credit eli-darkly
Introduced: 22 Jul 2022
CVE-2023-0833 Open this link in a new tabHow to fix?
Upgrade com.squareup.okhttp3:okhttp to version 4.9.2 or higher.
Overview
com.squareup.okhttp3:okhttp is a HTTP & HTTP/2 client for Android and Java applications
Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an IllegalArgumentException is thrown whose message includes the full header value.
PoC
package com.launchdarkly.eventsource;
import okhttp3.*;
import org.junit.Test;
import static org.hamcrest.MatcherAssert.*;
import static org.hamcrest.Matchers.*;
public class OkhttpHeaderExceptionTest {
@Test
public void invalidHeaderValueIsCapturedInException() throws Exception {
String password = "very-secret-password";
String badValue = password + "\n";
try {
Request req = new Request.Builder().url("http://github.com/path/doesnt/matter")
.header("Authorization", badValue)
.build();
} catch (IllegalArgumentException e) {
assertThat(e.getMessage(), not(containsString(password)));
}
}
}