gson-2.6.2.jar: 2 vulnerabilities (highest severity is: 7.7) #4
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Micro-Learning Topic: Denial of service (Detected by phrase)Matched on "Denial of Service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try a challenge in Secure Code WarriorMicro-Learning Topic: Deserialization of untrusted data (Detected by phrase)Matched on "Deserialization of Untrusted Data"It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains Try a challenge in Secure Code WarriorHelpful references
Micro-Learning Topic: Vulnerable library (Detected by phrase)Matched on "Vulnerable Library"Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process. Try a challenge in Secure Code Warrior |
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - gson-2.6.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Dependency Hierarchy:
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Found in base branch: main
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: 2.8.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - gson-2.6.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Dependency Hierarchy:
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Found in base branch: main
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: 2.8.9
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: