First Last Prev Next    This bug is not in your last search results.
Bug 1199064 - (CVE-2022-25647) VUL-0: CVE-2022-25647: google-gson: Deserialization of Untrusted Data
(CVE-2022-25647)
VUL-0: CVE-2022-25647: google-gson: Deserialization of Untrusted Data
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Fridrich Strba
Security Team bot
https://smash.suse.de/issue/330419/
CVSSv3.1:SUSE:CVE-2022-25647:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-02 07:30 UTC by Hu
Modified: 2022-10-24 16:23 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
thomas.leroy: needinfo? (fstrba)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-05-02 07:30:47 UTC 
CVE-2022-25647

The package com.google.code.gson:gson before 2.8.9 are vulnerable to
Deserialization of Untrusted Data via the writeReplace() method in internal
classes, which may lead to DoS attacks.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25647
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647
https://github.com/google/gson/pull/1991
https://github.com/google/gson/pull/1991/commits
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
Comment 1 Hu 2022-05-02 07:31:16 UTC 
Affected:
 - SUSE:SLE-15-SP2:Update/google-gson                             2.8.5
 - SUSE:SLE-15-SP2:Update:Products:Manager41:Update/google-gson   2.8.5

Not Affected:
 - openSUSE:Factory/google-gson                                   2.8.9
Comment 6 Swamp Workflow Management 2022-06-10 16:16:29 UTC 
SUSE-SU-2022:2044-1: An update that fixes one vulnerability, contains one feature is now available.

Category: security (important)
Bug References: 1199064
CVE References: CVE-2022-25647
JIRA References: SLE-24261
Sources used:
openSUSE Leap 15.4 (src):    google-gson-2.8.9-150200.3.6.3
openSUSE Leap 15.3 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Manager Server 4.1 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Manager Retail Branch Server 4.1 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Manager Proxy 4.1 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Server 15-SP2-BCL (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    google-gson-2.8.9-150200.3.6.3
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    google-gson-2.8.9-150200.3.6.3
SUSE Enterprise Storage 7 (src):    google-gson-2.8.9-150200.3.6.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Thomas Leroy 2022-08-11 08:58:03 UTC 
Hi Fridrich, could you also please submit to SUSE:SLE-15-SP2:Update:Products:Manager41:Update? :)
Comment 10 Swamp Workflow Management 2022-10-24 16:23:14 UTC 
SUSE-SU-2022:3706-1: An update that fixes one vulnerability, contains one feature is now available.

Category: security (moderate)
Bug References: 1199064
CVE References: CVE-2022-25647
JIRA References: SLE-24261
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    google-gson-2.8.9-150200.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
First Last Prev Next    This bug is not in your last search results.