Open mend-bolt-for-github[bot] opened 3 months ago
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service
It is often convenient to serialize objects for communication or to save them for later use. However, serialized data or code can be modified. This malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code when deserialized. This is usually done with "gadget chains
Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.
Vulnerable Library - gson-2.6.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2021-0419
### Vulnerable Library - gson-2.6.2.jarGson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Dependency Hierarchy: - :x: **gson-2.6.2.jar** (Vulnerable Library)
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Found in base branch: main
### Vulnerability DetailsDenial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
### CVSS 3 Score Details (7.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2021-10-11
Fix Resolution: 2.8.9
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)CVE-2022-25647
### Vulnerable Library - gson-2.6.2.jarGson JSON library
Library home page: https://github.com/google/gson
Path to vulnerable library: /test/libs/gson-2.6.2.jar
Dependency Hierarchy: - :x: **gson-2.6.2.jar** (Vulnerable Library)
Found in HEAD commit: dea4109bc4ac92c1955fc288f7b3f61d009c8817
Found in base branch: main
### Vulnerability DetailsThe package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: 2.8.9
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)