Vulnerability-Lookup

BDU:2023-09014

Vulnerability from fstec - Published: 01.05.2022

Title

Уязвимость пакета com.google.code.gson:gson библиотеки Gson, позволяющая нарушителю выполнить атаку типа «отказ в обслуживании» (DoS)

Description

Уязвимость пакета com.google.code.gson:gson библиотеки Gson связана с недостатками механизма десериализации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить атаку типа «отказ в обслуживании» (DoS)

Severity ?


                    
                      AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Vendor

Red Hat Inc., Сообщество свободного программного обеспечения, Novell Inc., Oracle Corp., NetApp Inc., АО "НППКТ", Google Inc

Software Name

Red Hat JBoss Fuse, Debian GNU/Linux, Red Hat Single Sign-On, openSUSE Tumbleweed, Oracle Retail Order Broker, Red Hat JBoss Data Grid, A-MQ Clients, Suse Linux Enterprise Server, Red Hat build of Quarkus, Red Hat Integration Camel K, Red Hat Integration Service Registry, OpenSUSE Leap, Red Hat Integration Camel Quarkus, Red Hat Data Grid, Red Hat JBoss Enterprise Application Platform Expansion Pack, SUSE Linux Enterprise High Performance Computing, SUSE Linux Enterprise Server for SAP Applications, SUSE Manager Proxy, Suse Linux Enterprise Desktop, SUSE Enterprise Storage, SUSE Manager Server, SUSE Linux Enterprise Module for Development Tools, SUSE Manager Retail Branch Server, Active IQ Unified Manager for Microsoft Windows, Active IQ Unified Manager for VMware vSphere, Red Hat OpenShift Container Platform, Red Hat Integration Change Data Capture, Red Hat AMQ Online, GraalVM Enterprise Edition, Decision Manager, Oracle Financial Services Crime and Compliance Management Studio, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), Red Hat JBoss A-MQ, Red Hat JBoss Enterprise Application Platform, Management Service for Element Software and NetApp Hci, Active IQ Unified Manager for Linux, OpenShift Developer Tools and Services for OCP, Red Hat Process Automation Manager, Logging subsystem for Red Hat OpenShift, Red Hat AMQ Streams, Cryostat, Red Hat build of Eclipse Vert.x, Red Hat Integration Data Virtualisation Operator, Red Hat support for Spring Boot, SUSE Manager Server Module, Gson

Software Version

7 (Red Hat JBoss Fuse), 10 (Debian GNU/Linux), 7 (Red Hat Single Sign-On), - (openSUSE Tumbleweed), 18.0 (Oracle Retail Order Broker), 7 (Red Hat JBoss Data Grid), 2 (A-MQ Clients), 19.1 (Oracle Retail Order Broker), 15 SP 3 (Suse Linux Enterprise Server), - (Red Hat build of Quarkus), - (Red Hat Integration Camel K), - (Red Hat Integration Service Registry), 15.3 (OpenSUSE Leap), - (Red Hat Integration Camel Quarkus), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 8 (Red Hat Data Grid), - (Red Hat JBoss Enterprise Application Platform Expansion Pack), 15.4 (OpenSUSE Leap), 15 SP3 (SUSE Linux Enterprise High Performance Computing), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 15 SP3 (Suse Linux Enterprise Desktop), 7 (SUSE Enterprise Storage), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 4.1 (SUSE Manager Server), 4.1 (SUSE Manager Proxy), 15 SP2-ESPOS (SUSE Linux Enterprise High Performance Computing), 15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing), 15 SP3 (SUSE Linux Enterprise Module for Development Tools), 4.1 (SUSE Manager Retail Branch Server), - (Active IQ Unified Manager for Microsoft Windows), - (Active IQ Unified Manager for VMware vSphere), 15 SP4 (Suse Linux Enterprise Server), 4 (Red Hat OpenShift Container Platform), - (Red Hat Integration Change Data Capture), 15 SP4 (Suse Linux Enterprise Desktop), 15 SP2-BCL (Suse Linux Enterprise Server), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), - (Red Hat AMQ Online), 15 SP2-LTSS (Suse Linux Enterprise Server), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 7.1 (SUSE Enterprise Storage), 15 SP4 (SUSE Linux Enterprise Module for Development Tools), 22.1.0 (GraalVM Enterprise Edition), 21.3.2 (GraalVM Enterprise Edition), 20.3.6 (GraalVM Enterprise Edition), 7 (Decision Manager), 8.0.8.2.0 (Oracle Financial Services Crime and Compliance Management Studio), 8.0.8.3.0 (Oracle Financial Services Crime and Compliance Management Studio), до 2.6 (ОСОН ОСнова Оnyx), 15 SP5 (SUSE Linux Enterprise Server for SAP Applications), 15 SP5 (Suse Linux Enterprise Server), 15 SP5 (Suse Linux Enterprise Desktop), 7 (Red Hat JBoss A-MQ), 15 SP5 (SUSE Linux Enterprise High Performance Computing), 15 SP5 (SUSE Linux Enterprise Module for Development Tools), 7 (Red Hat JBoss Enterprise Application Platform), - (Management Service for Element Software and NetApp Hci), - (Active IQ Unified Manager for Linux), 6 (Red Hat JBoss Enterprise Application Platform), 4.13 (OpenShift Developer Tools and Services for OCP), 7.4 for RHEL 9 (Red Hat JBoss Enterprise Application Platform), 2.3.0 GA (Red Hat Integration Service Registry), 7.13.0 (Red Hat Process Automation Manager), - (Logging subsystem for Red Hat OpenShift), 2.2.0 (Red Hat AMQ Streams), 2 on RHEL 8 (Cryostat), 4.2.7 (Red Hat build of Eclipse Vert.x), - (Red Hat Integration Data Virtualisation Operator), - (Red Hat support for Spring Boot), 4.1 (SUSE Manager Server Module), 4.2 (SUSE Manager Server Module), 4.3 (SUSE Manager Server Module), от 2.2.3 до 2.8.9 (Gson)

Possible Mitigations

Использование рекомендаций: Для программных продуктов Google Inc.: https://github.com/google/gson/pull/1991 Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2022-25647 Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/CVE-2022-25647 Для программных продуктов Novell Inc.: https://www.suse.com/security/cve/CVE-2022-25647.html Для программных продуктов NetApp Inc.: https://security.netapp.com/advisory/ntap-20220901-0009/ Для программных продуктов Oracle Corp.: https://www.oracle.com/security-alerts/cpujul2022.html Для ОСОН ОСнова Оnyx: Обновление программного обеспечения libgoogle-gson-java до версии 2.8.5-3+deb10u1

Reference

https://github.com/google/gson/pull/1991 https://security-tracker.debian.org/tracker/CVE-2022-25647 https://access.redhat.com/security/cve/CVE-2022-25647 https://www.suse.com/security/cve/CVE-2022-25647.html https://security.netapp.com/advisory/ntap-20220901-0009/ https://www.oracle.com/security-alerts/cpujul2022.html https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.6/

CWE

CWE-502

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:P/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Novell Inc., Oracle Corp., NetApp Inc., \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", Google Inc",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7 (Red Hat JBoss Fuse), 10 (Debian GNU/Linux), 7 (Red Hat Single Sign-On), - (openSUSE Tumbleweed), 18.0 (Oracle Retail Order Broker), 7 (Red Hat JBoss Data Grid), 2 (A-MQ Clients), 19.1 (Oracle Retail Order Broker), 15 SP 3 (Suse Linux Enterprise Server), - (Red Hat build of Quarkus), - (Red Hat Integration Camel K), - (Red Hat Integration Service Registry), 15.3 (OpenSUSE Leap), - (Red Hat Integration Camel Quarkus), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 8 (Red Hat Data Grid), - (Red Hat JBoss Enterprise Application Platform Expansion Pack), 15.4 (OpenSUSE Leap), 15 SP3 (SUSE Linux Enterprise High Performance Computing), 15 SP3 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Proxy), 15 SP3 (Suse Linux Enterprise Desktop), 7 (SUSE Enterprise Storage), 15 SP2 (SUSE Linux Enterprise Server for SAP Applications), 4.1 (SUSE Manager Server), 4.1 (SUSE Manager Proxy), 15 SP2-ESPOS (SUSE Linux Enterprise High Performance Computing), 15 SP2-LTSS (SUSE Linux Enterprise High Performance Computing), 15 SP3 (SUSE Linux Enterprise Module for Development Tools), 4.1 (SUSE Manager Retail Branch Server), - (Active IQ Unified Manager for Microsoft Windows), - (Active IQ Unified Manager for VMware vSphere), 15 SP4 (Suse Linux Enterprise Server), 4 (Red Hat OpenShift Container Platform), - (Red Hat Integration Change Data Capture), 15 SP4 (Suse Linux Enterprise Desktop), 15 SP2-BCL (Suse Linux Enterprise Server), 15 SP4 (SUSE Linux Enterprise Server for SAP Applications), 4.2 (SUSE Manager Retail Branch Server), - (Red Hat AMQ Online), 15 SP2-LTSS (Suse Linux Enterprise Server), 4.3 (SUSE Manager Retail Branch Server), 4.3 (SUSE Manager Proxy), 4.3 (SUSE Manager Server), 15 SP4 (SUSE Linux Enterprise High Performance Computing), 7.1 (SUSE Enterprise Storage), 15 SP4 (SUSE Linux Enterprise Module for Development Tools), 22.1.0 (GraalVM Enterprise Edition), 21.3.2 (GraalVM Enterprise Edition), 20.3.6 (GraalVM Enterprise Edition), 7 (Decision Manager), 8.0.8.2.0 (Oracle Financial Services Crime and Compliance Management Studio), 8.0.8.3.0 (Oracle Financial Services Crime and Compliance Management Studio), \u0434\u043e 2.6 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), 15 SP5 (SUSE Linux Enterprise Server for SAP Applications), 15 SP5 (Suse Linux Enterprise Server), 15 SP5 (Suse Linux Enterprise Desktop), 7 (Red Hat JBoss A-MQ), 15 SP5 (SUSE Linux Enterprise High Performance Computing), 15 SP5 (SUSE Linux Enterprise Module for Development Tools), 7 (Red Hat JBoss Enterprise Application Platform), - (Management Service for Element Software and NetApp Hci), - (Active IQ Unified Manager for Linux), 6 (Red Hat JBoss Enterprise Application Platform), 4.13 (OpenShift Developer Tools and Services for OCP), 7.4 for RHEL 9 (Red Hat JBoss Enterprise Application Platform), 2.3.0 GA (Red Hat Integration Service Registry), 7.13.0 (Red Hat Process Automation Manager), - (Logging subsystem for Red Hat OpenShift), 2.2.0 (Red Hat AMQ Streams), 2 on RHEL 8 (Cryostat), 4.2.7 (Red Hat build of Eclipse Vert.x), - (Red Hat Integration Data Virtualisation Operator), - (Red Hat support for Spring Boot), 4.1 (SUSE Manager Server Module), 4.2 (SUSE Manager Server Module), 4.3 (SUSE Manager Server Module), \u043e\u0442 2.2.3 \u0434\u043e 2.8.9 (Gson)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Google Inc.:\nhttps://github.com/google/gson/pull/1991\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2022-25647\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2022-25647\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2022-25647.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 NetApp Inc.:\nhttps://security.netapp.com/advisory/ntap-20220901-0009/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Oracle Corp.:\nhttps://www.oracle.com/security-alerts/cpujul2022.html\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f libgoogle-gson-java \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2.8.5-3+deb10u1",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "01.05.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "11.01.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "22.12.2023",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-09014",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-25647",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat JBoss Fuse, Debian GNU/Linux, Red Hat Single Sign-On, openSUSE Tumbleweed, Oracle Retail Order Broker, Red Hat JBoss Data Grid, A-MQ Clients, Suse Linux Enterprise Server, Red Hat build of Quarkus, Red Hat Integration Camel K, Red Hat Integration Service Registry, OpenSUSE Leap, Red Hat Integration Camel Quarkus, Red Hat Data Grid, Red Hat JBoss Enterprise Application Platform Expansion Pack, SUSE Linux Enterprise High Performance Computing, SUSE Linux Enterprise Server for SAP Applications, SUSE Manager Proxy, Suse Linux Enterprise Desktop, SUSE Enterprise Storage, SUSE Manager Server, SUSE Linux Enterprise Module for Development Tools, SUSE Manager Retail Branch Server, Active IQ Unified Manager for Microsoft Windows, Active IQ Unified Manager for VMware vSphere, Red Hat OpenShift Container Platform, Red Hat Integration Change Data Capture, Red Hat AMQ Online, GraalVM Enterprise Edition, Decision Manager, Oracle Financial Services Crime and Compliance Management Studio, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), Red Hat JBoss A-MQ, Red Hat JBoss Enterprise Application Platform, Management Service for Element Software and NetApp Hci, Active IQ Unified Manager for Linux, OpenShift Developer Tools and Services for OCP, Red Hat Process Automation Manager, Logging subsystem for Red Hat OpenShift, Red Hat AMQ Streams, Cryostat, Red Hat build of Eclipse Vert.x, Red Hat Integration Data Virtualisation Operator, Red Hat support for Spring Boot, SUSE Manager Server Module, Gson",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Novell Inc. openSUSE Tumbleweed - , Novell Inc. Suse Linux Enterprise Server 15 SP 3 , Novell Inc. OpenSUSE Leap 15.3 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , Novell Inc. OpenSUSE Leap 15.4 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3 , Novell Inc. Suse Linux Enterprise Desktop 15 SP3 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2 , Novell Inc. Suse Linux Enterprise Server 15 SP4 , Novell Inc. Suse Linux Enterprise Desktop 15 SP4 , Novell Inc. Suse Linux Enterprise Server 15 SP2-BCL , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4 , Novell Inc. Suse Linux Enterprise Server 15 SP2-LTSS , \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.6  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5 , Novell Inc. Suse Linux Enterprise Server 15 SP5 , Novell Inc. Suse Linux Enterprise Desktop 15 SP5 ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0430\u043a\u0435\u0442\u0430 com.google.code.gson:gson \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 Gson, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0430\u0442\u0430\u043a\u0443 \u0442\u0438\u043f\u0430 \u00ab\u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438\u00bb (DoS)",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0412\u043e\u0441\u0441\u0442\u0430\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 \u043d\u0435\u0434\u043e\u0441\u0442\u043e\u0432\u0435\u0440\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-502)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0430\u043a\u0435\u0442\u0430 com.google.code.gson:gson \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 Gson \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0434\u0435\u0441\u0435\u0440\u0438\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0430\u0442\u0430\u043a\u0443 \u0442\u0438\u043f\u0430 \u00ab\u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438\u00bb (DoS)",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/google/gson/pull/1991\nhttps://security-tracker.debian.org/tracker/CVE-2022-25647\nhttps://access.redhat.com/security/cve/CVE-2022-25647\nhttps://www.suse.com/security/cve/CVE-2022-25647.html\nhttps://security.netapp.com/advisory/ntap-20220901-0009/\nhttps://www.oracle.com/security-alerts/cpujul2022.html\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.6/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-502",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,3)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,7)"
}

CVE-2022-25647 (GCVE-0-2022-25647)

Vulnerability from cvelistv5 – Published: 2022-05-01 15:30 – Updated: 2024-09-17 03:32

Title

Deserialization of Untrusted Data

Summary

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Severity ?

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

CWE

Deserialization of Untrusted Data

Assigner

snyk

References

URL

Tags

	https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-…	x_refsource_MISC
	https://github.com/google/gson/pull/1991	x_refsource_MISC
	https://github.com/google/gson/pull/1991/commits	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
	https://www.oracle.com/security-alerts/cpujul2022.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2022090…	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2022…	mailing-listx_refsource_MLIST
	https://www.debian.org/security/2022/dsa-5227	vendor-advisoryx_refsource_DEBIAN

Impacted products

	Vendor	Product	Version
	n/a	com.google.code.gson:gson	Affected: unspecified , < 2.8.9 (custom)

Date Public ?

2022-05-01 00:00

Credits

Marcono1234

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T04:42:50.328Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/google/gson/pull/1991"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/google/gson/pull/1991/commits"
          },
          {
            "name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220901-0009/"
          },
          {
            "name": "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"
          },
          {
            "name": "DSA-5227",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5227"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "com.google.code.gson:gson",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "2.8.9",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Marcono1234"
        }
      ],
      "datePublic": "2022-05-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Deserialization of Untrusted Data",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-09-07T20:06:16.000Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/google/gson/pull/1991"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/google/gson/pull/1991/commits"
        },
        {
          "name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220901-0009/"
        },
        {
          "name": "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"
        },
        {
          "name": "DSA-5227",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5227"
        }
      ],
      "title": "Deserialization of Untrusted Data",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "DATE_PUBLIC": "2022-05-01T15:25:25.581039Z",
          "ID": "CVE-2022-25647",
          "STATE": "PUBLIC",
          "TITLE": "Deserialization of Untrusted Data"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "com.google.code.gson:gson",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.8.9"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Marcono1234"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Deserialization of Untrusted Data"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327"
            },
            {
              "name": "https://github.com/google/gson/pull/1991",
              "refsource": "MISC",
              "url": "https://github.com/google/gson/pull/1991"
            },
            {
              "name": "https://github.com/google/gson/pull/1991/commits",
              "refsource": "MISC",
              "url": "https://github.com/google/gson/pull/1991/commits"
            },
            {
              "name": "[debian-lts-announce] 20220513 [SECURITY] [DLA 3001-1] libgoogle-gson-java security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2022.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2022.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220901-0009/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220901-0009/"
            },
            {
              "name": "[debian-lts-announce] 20220907 [SECURITY] [DLA 3100-1] libgoogle-gson-java security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html"
            },
            {
              "name": "DSA-5227",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2022/dsa-5227"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2022-25647",
    "datePublished": "2022-05-01T15:30:29.223Z",
    "dateReserved": "2022-02-24T00:00:00.000Z",
    "dateUpdated": "2024-09-17T03:32:46.390Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

BDU:2023-09014

CVE-2022-25647 (GCVE-0-2022-25647)

Tags

Sightings

Nomenclature