Vulnerable Library - mysql-connector-java-8.0.30.jar
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Found in HEAD commit: a24c7043a1d471542057baf779a4b949a20ff174
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (mysql-connector-java version) |
Remediation Possible** |
Reachability |
| CVE-2022-3510 |
 High |
7.5 |
protobuf-java-3.19.4.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2022-3509 |
High |
7.5 |
protobuf-java-3.19.4.jar |
Transitive |
N/A* |
❌ |
|
| CVE-2022-3171 |
 Medium |
4.3 |
protobuf-java-3.19.4.jar |
Transitive |
N/A* |
❌ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-3510
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
- mysql-connector-java-8.0.30.jar (Root Library)
- ❌ protobuf-java-3.19.4.jar (Vulnerable Library)
Found in HEAD commit: a24c7043a1d471542057baf779a4b949a20ff174
Found in base branch: master
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-11-11
URL: CVE-2022-3510
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-4gg5-vx3j-xwc7
Release Date: 2022-12-12
Fix Resolution: com.google.protobuf:protobuf-java:3.21.7,3.20.3,3.19.6,3.16.3
CVE-2022-3509
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
- mysql-connector-java-8.0.30.jar (Root Library)
- ❌ protobuf-java-3.19.4.jar (Vulnerable Library)
Found in HEAD commit: a24c7043a1d471542057baf779a4b949a20ff174
Found in base branch: master
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-11-01
URL: CVE-2022-3509
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509
Release Date: 2022-12-12
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7
CVE-2022-3171
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
- mysql-connector-java-8.0.30.jar (Root Library)
- ❌ protobuf-java-3.19.4.jar (Vulnerable Library)
Found in HEAD commit: a24c7043a1d471542057baf779a4b949a20ff174
Found in base branch: master
Vulnerability Details
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-10-12
URL: CVE-2022-3171
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4h5-3hr4-j3g2
Release Date: 2022-10-12
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Found in HEAD commit: a24c7043a1d471542057baf779a4b949a20ff174
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
Found in HEAD commit: a24c7043a1d471542057baf779a4b949a20ff174
Found in base branch: master
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-11-11
URL: CVE-2022-3510
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4gg5-vx3j-xwc7
Release Date: 2022-12-12
Fix Resolution: com.google.protobuf:protobuf-java:3.21.7,3.20.3,3.19.6,3.16.3
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
Found in HEAD commit: a24c7043a1d471542057baf779a4b949a20ff174
Found in base branch: master
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-11-01
URL: CVE-2022-3509
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509
Release Date: 2022-12-12
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
Found in HEAD commit: a24c7043a1d471542057baf779a4b949a20ff174
Found in base branch: master
Vulnerability Details
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-10-12
URL: CVE-2022-3171
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-h4h5-3hr4-j3g2
Release Date: 2022-10-12
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7