Firebase-android-sdk: firebase-functions uses okhttp:2.7.2 which has a MITM vulnerability: CVE-2016-2402

Created on 30 Oct 2018  路  3Comments  路  Source: firebase/firebase-android-sdk

firebase-functions uses okhttp:2.7.2 which has a MITM vulnerability: CVE-2016-2402

https://github.com/firebase/firebase-android-sdk/blob/master/firebase-functions/firebase-functions.gradle contains:
implementation 'com.squareup.okhttp:okhttp:2.7.2'

https://nvd.nist.gov/vuln/detail/CVE-2016-2402:

OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.

Advise: Update okhttp dependency to 2.7.4 or 2.7.5

picture miraculix-druids

Most helpful comment

Please consider to switch to com.squareup.okhttp3:okhttp:3.10 or newer.

picture vladaman on 30 Oct 2018
👍3

All 3 comments

Please consider to switch to com.squareup.okhttp3:okhttp:3.10 or newer.

vladaman picture vladaman on 30 Oct 2018
👍3

Thanks for notifying. Our upcoming release lifts the version of okhttp to 2.7.5.
At this point we are unable to upgrade to 3.x since a downstream dependency transitively depends on 2.X and this would be a breaking change.

FYI: I have a #100 that might help remove this dep all together.

ashwinraghav picture ashwinraghav on 2 Nov 2018

implementation 'com.google.firebase:firebase-auth:16.0.1:15.0.0'
facing to implement

khansahib142 picture khansahib142 on 24 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Hospes picture Hospes  路  4Comments
Belka1000867 picture Belka1000867  路  3Comments
viviant1224 picture viviant1224  路  5Comments
SteveBurkert picture SteveBurkert  路  3Comments
lamba92 picture lamba92  路  3Comments