Skip to content

CVE In Google Maps Services 2.0.0 #816

New issue
New issue
Closed
Closed
CVE In Google Maps Services 2.0.0#816
Assignees
amuramoto
Labels
releasedtriage meI really want to be triaged.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@raghulvishnudhinesh

Description

@raghulvishnudhinesh
raghulvishnudhinesh
opened on May 6, 2022

Environment details

  1. com.google.maps:google-maps-services:2.0.0

Steps to reproduce

We see the above jar has a transitive dependency to org.jetbrains.kotlin:kotlin-stdlib:1.4.10 which has a CVE reported by our CVE scanning tool.okhttp was the library referring to this dependency. okhttp has released a new alpha version (5.0.0-alpha.6) that includes a newer version kotlin (1.6.10) without this CVE

[CVE-2020-29582 suppress

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
CWE-276 Incorrect Default Permissions]

The resolution is to move to the okhttp (5.0.0-alpha.6) .Can you please check on this and provide us a update
Screen Shot 2022-05-06 at 5 50 49 PM

Thanks

Metadata

Metadata

Assignees

Labels

releasedtriage meI really want to be triaged.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions