CVE-2022-25647

Published: May 1, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Affected (14)

Products: Google: Gson · Debian: Debian Linux · Netapp: Active Iq Unified Manager · +1 more

Show all products

Google: Gson · Debian: Debian Linux · Netapp: Active Iq Unified Manager · Oracle: Financial Services Crime And Compliance Management Studio, Graalvm, Retail Order Broker

1 product

1 product

1 product

Active Iq Unified Manager

3 products

Financial Services Crime And Compliance Management Studio

Retail Order Broker

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Google Gson	From 2.2.3 to 2.8.9

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0
Debian Debian Linux	Version 9.0

Configuration C

3 vulnerable

Vulnerable Software	Affected Versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions

Configuration D

7 vulnerable

Vulnerable Software	Affected Versions
Oracle Financial Services Crime And Compliance Management Studio	Version 8.0.8.2.0
Oracle Financial Services Crime And Compliance Management Studio	Version 8.0.8.3.0
Oracle Graalvm	Version 20.3.6
Oracle Graalvm	Version 21.3.2
Oracle Graalvm	Version 22.1.0
Oracle Retail Order Broker	Version 18.0
Oracle Retail Order Broker	Version 19.1

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (16)

https://github.com/google/gson/pull/1991

Source: report@snyk.io

PatchThird Party Advisory

https://github.com/google/gson/pull/1991/commits

Source: report@snyk.io

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html

Source: report@snyk.io

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html

Source: report@snyk.io

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220901-0009/

Source: report@snyk.io

Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327

Source: report@snyk.io

Third Party Advisory

https://www.debian.org/security/2022/dsa-5227

Source: report@snyk.io

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Source: report@snyk.io

PatchThird Party Advisory

https://github.com/google/gson/pull/1991

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/google/gson/pull/1991/commits

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20220901-0009/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2022/dsa-5227

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.