Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-25647 vulnerable gson v2.8.5 in dependency-check-core #4318

Closed
albuch opened this issue Apr 6, 2022 · 2 comments
Closed

CVE-2022-25647 vulnerable gson v2.8.5 in dependency-check-core #4318

albuch opened this issue Apr 6, 2022 · 2 comments
Milestone

Comments

@albuch
Copy link
Contributor

albuch commented Apr 6, 2022

gson library included in dependency-check-core@7.0.4 is vulnerable to CVE-2022-25647, see https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327 and google/gson#1991

  • Intoduced through: org.owasp:dependency-check-core@7.0.4 › com.moandjiezana.toml:toml4j@0.7.2 › com.google.code.gson:gson@2.8.5
  • Introduced through: org.owasp:dependency-check-core@7.0.4 › org.sonatype.ossindex:ossindex-service-client@1.8.1 › com.google.code.gson:gson@2.8.5

Patched in gson v2.8.9+

Unfortunately toml4j seems to be not maintained anymore. I've already filed an upstream issue for ossindex-service-client at sonatype/ossindex-public#31

@aikebah
Copy link
Collaborator

aikebah commented Apr 6, 2022

As there are already other jackson dependencies I think jackson-dataformats-text (listed on the toml wiki as a 1.0.0 compliant implementation) might be a candidate for replacing toml4j.

@jeremylong
Copy link
Owner

gson has been upgraded with #4710.

@jeremylong jeremylong added this to the 7.1.2 milestone Jul 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants