CVE-2022-25647 ossindex-service-client contains vulnerable dependency gson v2.8.5

sonatype / ossindex-public

Sonatype OSS Index - Public

Apache License 2.0

6 stars 9 forks source link

CVE-2022-25647 ossindex-service-client contains vulnerable dependency gson v2.8.5 #31

Open albuch opened 2 years ago

albuch commented 2 years ago

ossindex-public/ossindex-service-client v1.8.1 is using a version of gson library which is vulnerable to CVE-2022-25647. The issue is fixed in gson v2.8.9+

See https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327 and https://github.com/google/gson/pull/1991 for details on the CVE. https://nvd.nist.gov/vuln/detail/CVE-2022-25647 is unforntunately only registered so far.

Vulnerable gson version is defined at https://github.com/sonatype/ossindex-public/blob/main/bom/pom.xml#L71

jeremylong commented 2 years ago

This appears to be fixed in https://github.com/sonatype/ossindex-public/releases/tag/release-1.8.2 - however, this was never published to Maven Central?