github - ghsa-4jrv-ppp4-jm57

ghsa-4jrv-ppp4-jm57

Vulnerability from github

Published

2022-05-03 00:00

Modified

2022-05-20 20:31

Severity

7.7 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Summary

Deserialization of Untrusted Data in Gson

Details

The package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to denial of service attacks.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.google.code.gson:gson"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25647"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-20T20:31:08Z",
    "nvd_published_at": "2022-05-01T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "The package `com.google.code.gson:gson` before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the `writeReplace()` method in internal classes, which may lead to denial of service attacks.",
  "id": "GHSA-4jrv-ppp4-jm57",
  "modified": "2022-05-20T20:31:08Z",
  "published": "2022-05-03T00:00:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25647"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/gson/pull/1991"
    },
    {
      "type": "WEB",
      "url": "https://github.com/google/gson/pull/1991/commits"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/google/gson"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20220901-0009"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5227"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Deserialization of Untrusted Data in Gson"
}

cve-2022-25647

Vulnerability from cvelistv5

Published

2022-05-01 15:30

Modified

2024-09-17 03:32

Severity

7.7 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Summary

Deserialization of Untrusted Data

References

URL	Tags
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327	x_refsource_MISC
https://github.com/google/gson/pull/1991	x_refsource_MISC
https://github.com/google/gson/pull/1991/commits	x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html	mailing-list, x_refsource_MLIST
https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220901-0009/	x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html	mailing-list, x_refsource_MLIST
https://www.debian.org/security/2022/dsa-5227	vendor-advisory, x_refsource_DEBIAN

Impacted products

Vendor	Product
n/a	com.google.code.gson:gson

Show details on NVD website