Vulnerabilites related to google - gson
cve-2022-25647
Vulnerability from cvelistv5
Published
2022-05-01 15:30
Modified
2024-09-17 03:32
Severity ?
EPSS score ?
Summary
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
References
▼ | URL | Tags |
---|---|---|
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327 | x_refsource_MISC | |
https://github.com/google/gson/pull/1991 | x_refsource_MISC | |
https://github.com/google/gson/pull/1991/commits | x_refsource_MISC | |
https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html | mailing-list, x_refsource_MLIST | |
https://www.oracle.com/security-alerts/cpujul2022.html | x_refsource_MISC | |
https://security.netapp.com/advisory/ntap-20220901-0009/ | x_refsource_CONFIRM | |
https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html | mailing-list, x_refsource_MLIST | |
https://www.debian.org/security/2022/dsa-5227 | vendor-advisory, x_refsource_DEBIAN |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | n/a | com.google.code.gson:gson |
Version: unspecified < 2.8.9 |
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T04:42:50.328Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/google/gson/pull/1991", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/google/gson/pull/1991/commits", }, { name: "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20220901-0009/", }, { name: "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html", }, { name: "DSA-5227", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2022/dsa-5227", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "com.google.code.gson:gson", vendor: "n/a", versions: [ { lessThan: "2.8.9", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Marcono1234", }, ], datePublic: "2022-05-01T00:00:00", descriptions: [ { lang: "en", value: "The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { description: "Deserialization of Untrusted Data", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-09-07T20:06:16", orgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", shortName: "snyk", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/google/gson/pull/1991", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/google/gson/pull/1991/commits", }, { name: "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20220901-0009/", }, { name: "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html", }, { name: "DSA-5227", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2022/dsa-5227", }, ], title: "Deserialization of Untrusted Data", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "report@snyk.io", DATE_PUBLIC: "2022-05-01T15:25:25.581039Z", ID: "CVE-2022-25647", STATE: "PUBLIC", TITLE: "Deserialization of Untrusted Data", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "com.google.code.gson:gson", version: { version_data: [ { version_affected: "<", version_value: "2.8.9", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, credit: [ { lang: "eng", value: "Marcono1234", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.", }, ], }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Deserialization of Untrusted Data", }, ], }, ], }, references: { reference_data: [ { name: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327", refsource: "MISC", url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327", }, { name: "https://github.com/google/gson/pull/1991", refsource: "MISC", url: "https://github.com/google/gson/pull/1991", }, { name: "https://github.com/google/gson/pull/1991/commits", refsource: "MISC", url: "https://github.com/google/gson/pull/1991/commits", }, { name: "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { name: "https://security.netapp.com/advisory/ntap-20220901-0009/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20220901-0009/", }, { name: "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html", }, { name: "DSA-5227", refsource: "DEBIAN", url: "https://www.debian.org/security/2022/dsa-5227", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "bae035ff-b466-4ff4-94d0-fc9efd9e1730", assignerShortName: "snyk", cveId: "CVE-2022-25647", datePublished: "2022-05-01T15:30:29.223346Z", dateReserved: "2022-02-24T00:00:00", dateUpdated: "2024-09-17T03:32:46.390Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2022-05-01 16:15
Modified
2024-11-21 06:52
Severity ?
7.7 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
gson | * | ||
debian | debian_linux | 9.0 | |
debian | debian_linux | 10.0 | |
debian | debian_linux | 11.0 | |
netapp | active_iq_unified_manager | - | |
netapp | active_iq_unified_manager | - | |
netapp | active_iq_unified_manager | - | |
oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.2.0 | |
oracle | financial_services_crime_and_compliance_management_studio | 8.0.8.3.0 | |
oracle | graalvm | 20.3.6 | |
oracle | graalvm | 21.3.2 | |
oracle | graalvm | 22.1.0 | |
oracle | retail_order_broker | 18.0 | |
oracle | retail_order_broker | 19.1 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:google:gson:*:*:*:*:*:*:*:*", matchCriteriaId: "BDD6E481-96F1-4FE9-9283-775786501464", versionEndExcluding: "2.8.9", versionStartIncluding: "2.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", matchCriteriaId: "DEECE5FC-CACF-4496-A3E7-164736409252", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", matchCriteriaId: "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", vulnerable: true, }, { criteria: "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", matchCriteriaId: "FA6FEEC2-9F11-4643-8827-749718254FED", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*", matchCriteriaId: "F3E0B672-3E06-4422-B2A4-0BD073AEC2A1", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", matchCriteriaId: "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", vulnerable: true, }, { criteria: "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*", matchCriteriaId: "B55E8D50-99B4-47EC-86F9-699B67D473CE", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*", matchCriteriaId: "55F091C7-0869-4FD6-AC73-DA697D990304", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*", matchCriteriaId: "4D134C60-F9E2-46C2-8466-DB90AD98439E", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm:20.3.6:*:*:*:enterprise:*:*:*", matchCriteriaId: "7D961E24-EA18-4217-B5F5-F847726D84E3", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm:21.3.2:*:*:*:enterprise:*:*:*", matchCriteriaId: "601D92C4-F71F-47E2-9041-5C286D2137F6", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:graalvm:22.1.0:*:*:*:enterprise:*:*:*", matchCriteriaId: "B18FE85D-C53D-44E9-8992-715820D1264B", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*", matchCriteriaId: "0783F0D1-8FAC-4BCA-A6F5-C5C60E86D56D", vulnerable: true, }, { criteria: "cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*", matchCriteriaId: "C7BD0D41-1BED-4C4F-95C8-8987C98908DA", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.", }, { lang: "es", value: "El paquete com.google.code.gson:gson versiones anteriores a 2.8.9, son vulnerables a una Deserialización de Datos No Confiables por medio del método writeReplace() en clases internas, lo cual puede conllevar a ataques DoS", }, ], id: "CVE-2022-25647", lastModified: "2024-11-21T06:52:30.240", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 5, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:N/I:N/A:P", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.7, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.2, impactScore: 5.5, source: "report@snyk.io", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-05-01T16:15:08.603", references: [ { source: "report@snyk.io", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/google/gson/pull/1991", }, { source: "report@snyk.io", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/google/gson/pull/1991/commits", }, { source: "report@snyk.io", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html", }, { source: "report@snyk.io", tags: [ "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html", }, { source: "report@snyk.io", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220901-0009/", }, { source: "report@snyk.io", tags: [ "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327", }, { source: "report@snyk.io", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5227", }, { source: "report@snyk.io", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/google/gson/pull/1991", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/google/gson/pull/1991/commits", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://security.netapp.com/advisory/ntap-20220901-0009/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.debian.org/security/2022/dsa-5227", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://www.oracle.com/security-alerts/cpujul2022.html", }, ], sourceIdentifier: "report@snyk.io", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }