gson-2.6.2.jar: 2 vulnerabilities (highest severity is: 7.7)
Opened this issue · 1 comments
Vulnerable Library - gson-2.6.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (gson version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2021-0419 |  High |
7.7 | gson-2.6.2.jar | Direct | 2.8.9 | ❌ |
| CVE-2022-25647 | High |
7.7 | gson-2.6.2.jar | Direct | 2.8.9 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2021-0419
Vulnerable Library - gson-2.6.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Dependency Hierarchy:
- ❌ gson-2.6.2.jar (Vulnerable Library)
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Found in base branch: main
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: 2.8.9
Step up your Open Source Security Game with Mend here
CVE-2022-25647
Vulnerable Library - gson-2.6.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Dependency Hierarchy:
- ❌ gson-2.6.2.jar (Vulnerable Library)
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Found in base branch: main
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: 2.8.9
Step up your Open Source Security Game with Mend here
Micro-Learning Topic: Denial of service (Detected by phrase)
Matched on "Denial of Service"
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
Try a challenge in Secure Code Warrior
Micro-Learning Topic: Deserialization of untrusted data (Detected by phrase)
Matched on "Deserialization of Untrusted Data"
It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains
Try a challenge in Secure Code Warrior
Helpful references
- OWASP Deserialization Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing deserialization flaws in your applications.
- OWASP Deserialization of untrusted data - OWASP community page with comprehensive information about deserialization vulnerabilities, and links to various OWASP resources to help detect or prevent it.
- OWASP Top Ten 2017 A8: Insecure Deserialization - OWASP Top Ten articles provide basic techniques to protect against these high risk problem areas, and guidance on where to go next.
Micro-Learning Topic: Vulnerable library (Detected by phrase)
Matched on "Vulnerable Library"
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.