CVE-2022-3171 Vulnerability

GoogleCloudPlatform / spring-cloud-gcp

New home for Spring Cloud GCP development starting with version 2.0.

Apache License 2.0

399 stars 295 forks source link

CVE-2022-3171 Vulnerability #2961

Closed gargshubham49 closed 1 month ago

gargshubham49 commented 1 month ago

We are using GCP dependencies with version 5.4.1 We got the HIGH severity vulnerability(CVE-2022-3171) in the library google-http-client-protobuf-1.44.1.jar which is included by following module: com.google.cloud:spring-cloud-gcp-data-datastore:5.4.1

meltsufin commented 1 month ago

Can you please share your mvn dependency:tree output? google-http-client-protobuf:1.44.1 depends on protobuf-java:1.21.12, which is not listed as vulnerable. In any case we override protobuf-java version to 3.25.3.

burkedavison commented 1 month ago

Link showing what meltsufin@ mentions above: https://github.com/googleapis/google-http-java-client/blob/v1.44.1/pom.xml#L601

gargshubham49 commented 1 month ago

Dependency graph shows protobuf-java version as 3.25.3

But the dependency check is showing the vulnerability for protobuf-java

meltsufin commented 1 month ago

What tool is that? I would suggest following up with them. Closing. Please re-open if you can confirm that it's not a problem with the tool or interpretation of its output.