gson-2.8.2.jar: 1 vulnerabilities (highest severity is: 8.4) [vp-rem] (reachable)

[mend-developer-platform-dev]

📂 Vulnerable Library - gson-2.8.2.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.2/gson-2.8.2.jar

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-2022-25647	🔴 High	8.4	Not Defined	2.1%	gson-2.8.2.jar	Direct	com.google.code.gson:gson:2.8.9	✅	Reachable

Details

🔴CVE-2022-25647

Vulnerable Library - gson-2.8.2.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.2/gson-2.8.2.jar

Dependency Hierarchy:

• ❌ gson-2.8.2.jar (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

- com.visualpathit.account.controller.ElasticSearchController (Application)
    - com.google.gson.Gson (Extension)
        - com.google.gson.internal.bind.ObjectTypeAdapter (Extension)
            -> ❌ com.google.gson.internal.LinkedTreeMap (Vulnerable Component)

---

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: May 01, 2022 03:30 PM

URL: CVE-2022-25647

Threat Assessment

Exploit Maturity:Not Defined

EPSS:2.1%

Score: 8.4

---

Suggested Fix

Type: Upgrade version

Origin: GHSA-4jrv-ppp4-jm57

Release Date: May 01, 2022 03:30 PM

Fix Resolution : com.google.code.gson:gson:2.8.9