Security Vulnerability: CVE-2022-25647 in gson Dependency of Contentful Java SDK

[gaiar]

Issue Overview

We've identified a security vulnerability within the Contentful Java SDK. The SDK includes a transitive dependency on com.google.code.gson:gson:2.8.5, which is vulnerable to a security issue described in CVE-2022-25647. This vulnerability is classified as "Deserialization of Untrusted Data" and has a severity score of 7.5/10.

Impact

Due to the high severity of this vulnerability, we are currently unable to use the Contentful Java SDK in our production environment. The risk associated with this vulnerability poses significant security concerns.

Suggested Solution

To address this issue, we recommend updating the gson dependency to a patched version that resolves CVE-2022-25647. This update is crucial to maintain the security and integrity of applications using the Contentful Java SDK.

Thank you for your attention to this matter.

[rafalniski]

Hey @gaiar this one is fixed now in v.3.4.8. Please let me know if that works for you.

[gaiar]

@rafalniski, Our developers confirmed that the issue is resolved. Thank you for getting back to me so quickly.