You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "Denial of Service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains
OWASP Deserialization Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing deserialization flaws in your applications.
OWASP Deserialization of untrusted data - OWASP community page with comprehensive information about deserialization vulnerabilities, and links to various OWASP resources to help detect or prevent it.
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Vulnerable Library - gson-2.6.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2021-0419
Vulnerable Library - gson-2.6.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Dependency Hierarchy:
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Found in base branch: main
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: 2.8.9
Step up your Open Source Security Game with Mend here
CVE-2022-25647
Vulnerable Library - gson-2.6.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Dependency Hierarchy:
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Found in base branch: main
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: 2.8.9
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: