WS-2021-0419 (High) detected in multiple libraries - autoclosed #462
Description
WS-2021-0419 - High Severity Vulnerability
Vulnerable Libraries - gson-2.8.2.jar, gson-2.7.jar, gson-2.8.0.jar, gson-2.3.1.jar, gson-2.8.6.jar, gson-2.8.5.jar
gson-2.8.2.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /dd-java-agent/appsec/weblog/weblog-spring-app/weblog-spring-app.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.2/3edcfe49d2c6053a70a2a47e4e1c2f94998a49cf/gson-2.8.2.jar
Dependency Hierarchy:
- grails-web-common-3.2.10.jar (Root Library)
- ❌ gson-2.8.2.jar (Vulnerable Library)
gson-2.7.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.7/751f548c85fa49f330cecbb1875893f971b33c4e/gson-2.7.jar
Dependency Hierarchy:
- grpc-protobuf-1.5.0.jar (Root Library)
- protobuf-java-util-3.3.1.jar
- ❌ gson-2.7.jar (Vulnerable Library)
- protobuf-java-util-3.3.1.jar
gson-2.8.0.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /dd-java-agent/benchmark-integration/play-perftest/play-perftest.gradle
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.0/gson-2.8.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.0/c4ba5371a29ac9b2ad6129b1d39ea38750043eff/gson-2.8.0.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.0/gson-2.8.0.jar
Dependency Hierarchy:
- play-test_2.11-2.6.0.jar (Root Library)
- selenium-support-3.4.0.jar
- ❌ gson-2.8.0.jar (Vulnerable Library)
- selenium-support-3.4.0.jar
gson-2.3.1.jar
Google Gson library
Library home page: http://code.google.com/p/google-gson/
Path to dependency file: /dd-smoke-tests/play-2.5/play-2.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.3.1/ecb6e1f8e4b0e84c4b886c2f14a1500caf309757/gson-2.3.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.3.1/ecb6e1f8e4b0e84c4b886c2f14a1500caf309757/gson-2.3.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.3.1/ecb6e1f8e4b0e84c4b886c2f14a1500caf309757/gson-2.3.1.jar
Dependency Hierarchy:
- play-test_2.11-2.5.19.jar (Root Library)
- fluentlenium-core-0.10.9.jar
- selenium-java-2.48.2.jar
- selenium-ie-driver-2.48.2.jar
- selenium-remote-driver-2.48.2.jar
- ❌ gson-2.3.1.jar (Vulnerable Library)
- selenium-remote-driver-2.48.2.jar
- selenium-ie-driver-2.48.2.jar
- selenium-java-2.48.2.jar
- fluentlenium-core-0.10.9.jar
gson-2.8.6.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar
Dependency Hierarchy:
- grpc-netty-1.41.0.jar (Root Library)
- grpc-core-1.41.0.jar
- ❌ gson-2.8.6.jar (Vulnerable Library)
- grpc-core-1.41.0.jar
gson-2.8.5.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /dd-java-agent/instrumentation/mule-4/mule-4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar
Dependency Hierarchy:
- mule-module-extensions-spring-support-4.2.2.jar (Root Library)
- mule-module-extensions-support-4.2.2.jar
- mule-extensions-api-persistence-1.2.2.jar
- mule-metadata-model-persistence-1.2.2.jar
- ❌ gson-2.8.5.jar (Vulnerable Library)
- mule-metadata-model-persistence-1.2.2.jar
- mule-extensions-api-persistence-1.2.2.jar
- mule-module-extensions-support-4.2.2.jar
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (org.grails:grails-web-common): 3.2.11
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (io.grpc:grpc-protobuf): 1.21.0
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (com.typesafe.play:play-test_2.11): 2.7.0
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (com.typesafe.play:play-test_2.11): 2.7.0
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (io.grpc:grpc-netty): 1.43.1
⛑️ Automatic Remediation is available for this issue