Pin the okhttp version to 4.12.0

mrdubr · mrdubr · commit a8a3e98acbb2 · 2025-02-21T12:57:39.000-05:00
diff --git a/build.gradle b/build.gradle
@@ -75,6 +75,11 @@ dependencies {
         pluginLibs ('com.nimbusds:nimbus-jose-jwt:9.37.3') {
             because "CVE-2023-1370, CVE-2021-31684, CVE-2023-52428"
         }
+        // Pins the version to avoid  a dependency on okhttp 3.14.9 that suffers from the CVE.
+        // This version of okhttp is inline with the one used in Rundeck 5.9.x
+        pluginLibs ('com.squareup.okhttp3:okhttp:4.12.0') {
+            because "CVE-2023-3635"
+        }
     }
 
 }

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,11 @@ dependencies {`
`75`	`75`	`pluginLibs ('com.nimbusds:nimbus-jose-jwt:9.37.3') {`
`76`	`76`	`because "CVE-2023-1370, CVE-2021-31684, CVE-2023-52428"`
`77`	`77`	`}`
	`78`	`+ // Pins the version to avoid a dependency on okhttp 3.14.9 that suffers from the CVE.`
	`79`	`+ // This version of okhttp is inline with the one used in Rundeck 5.9.x`
	`80`	`+ pluginLibs ('com.squareup.okhttp3:okhttp:4.12.0') {`
	`81`	`+ because "CVE-2023-3635"`
	`82`	`+ }`
`78`	`83`	`}`
`79`	`84`
`80`	`85`	`}`