Security vulnerability CVE-2020-29582

[pdodds]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

We are currently tracking an issue based on the use of Auth0 in a Java application - see https://nvd.nist.gov/vuln/detail/cve-2020-29582

Are you planning to resolve the dependency version, I assume this might be linked to changing the OKHttp version?

Reproduction

• Add Auth0 as dependency in Maven

Additional context

No response

auth0-java version

2.15

Java version

21

[tanya732]

Hi @pdodds,

Thank you for raising this issue! We will be planning to address it in a future release. However, it won’t be resolved immediately. We’ll keep you updated as we move forward with a fix.

Thank you

[tanya732]

Hi @pdodds,

We've reviewed the issue you mentioned regarding CVE-2020-29582, which affects versions of kotlin-stdlib prior to 1.4.21. Upon reviewing the current dependency tree for auth0-java version 2.15, we found that the Kotlin standard library being used is org.jetbrains.kotlin:kotlin-stdlib:2.1.0, which is above the vulnerable range.

Given this, the CVE should not apply in this context. However, if you're seeing a vulnerable version of this library being pulled in, please let us know and we’ll be happy to assist further.

Additionally, we do have a major version bump of OKHttp planned on our roadmap, but it's not currently scheduled in the near term.

Thank you

[tanya732]

Hi @pdodds,

If you're still seeing a vulnerable version being pulled into your project or have further concerns, please feel free to re-open this issue or provide more details.

Thanks again for your report!