graphql-kotlin-federation-6.0.0-SNAPSHOT: 3 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - graphql-kotlin-federation-6.0.0-SNAPSHOT

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.9.0/2adef7d20542c18530c46295b32bc26371dfd9b1/protobuf-java-3.9.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.9.0/2adef7d20542c18530c46295b32bc26371dfd9b1/protobuf-java-3.9.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.9.0/2adef7d20542c18530c46295b32bc26371dfd9b1/protobuf-java-3.9.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.9.0/2adef7d20542c18530c46295b32bc26371dfd9b1/protobuf-java-3.9.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.9.0/2adef7d20542c18530c46295b32bc26371dfd9b1/protobuf-java-3.9.0.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (graphql-kotlin-federation version)	Remediation Available
CVE-2022-3509	High	7.5	protobuf-java-3.9.0.jar	Transitive	N/A*	❌
CVE-2022-3171	High	7.5	protobuf-java-3.9.0.jar	Transitive	N/A*	❌
CVE-2021-22569	Medium	5.5	protobuf-java-3.9.0.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-3509

### Vulnerable Library - protobuf-java-3.9.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /servers/graphql-kotlin-spring-server/build.gradle.kts

Dependency Hierarchy: - graphql-kotlin-federation-6.0.0-SNAPSHOT (Root Library) - federation-graphql-java-support-0.6.5.jar - :x: **protobuf-java-3.9.0.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in proto ...

Publish Date: 2022-10-14

URL: CVE-2022-3509

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2022-10-14

Fix Resolution: com.google.protobuf:protobuf-java:3.21.7

CVE-2022-3171

### Vulnerable Library - protobuf-java-3.9.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /servers/graphql-kotlin-spring-server/build.gradle.kts

Dependency Hierarchy: - graphql-kotlin-federation-6.0.0-SNAPSHOT (Root Library) - federation-graphql-java-support-0.6.5.jar - :x: **protobuf-java-3.9.0.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7

CVE-2021-22569

### Vulnerable Library - protobuf-java-3.9.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /servers/graphql-kotlin-spring-server/build.gradle.kts

Dependency Hierarchy: - graphql-kotlin-federation-6.0.0-SNAPSHOT (Root Library) - federation-graphql-java-support-0.6.5.jar - :x: **protobuf-java-3.9.0.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-10

URL: CVE-2021-22569

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wrvw-hg22-4m67

Release Date: 2022-01-10

Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2

joshnewton31080 / graphql-kotlin

graphql-kotlin-federation-6.0.0-SNAPSHOT: 3 vulnerabilities (highest severity is: 7.5) - autoclosed #23

Vulnerabilities

Details