CVE-2022-25647Deserialization of Untrusted Data in Google Gson

CWE-502Deserialization of Untrusted Data16 documents9 sources
Severity
7.5HIGHNVD
CNA7.7
EPSS
2.8%
top 13.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Google GsonDebian LinuxOracle Financial Services Crime AND Compliance Management Studio+2 more
Timeline
PublishedMay 1
Latest updateMar 12

Description

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDgoogle/gson2.2.32.8.9
NVDoracle/graalvm20.3.6, 21.3.2, 22.1.0+2
NVDoracle/retail_order_broker18.0, 19.1+1

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: github.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
Deserialization of Untrusted Data in Gson2022-05-03
OSV
Deserialization of Untrusted Data in Gson2022-05-03
OSV
CVE-2022-25647: The package com2022-05-01
CVEList
Deserialization of Untrusted Data2022-05-01

📋Vendor Advisories

11
Ubuntu
Gson vulnerability2024-03-12
Oracle
Oracle Oracle Analytics Risk Matrix: Installation (Google Gson) — CVE-2022-256472024-01-15
Oracle
Oracle Oracle Enterprise Manager Risk Matrix: Load Testing for Web Apps (Google Gson) — CVE-2022-256472023-10-15
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: General (Google Gson) — CVE-2022-256472023-07-15
Oracle
Oracle Oracle Blockchain Platform Risk Matrix: BCS Console (Google Gson) — CVE-2022-256472023-04-15
CVE-2022-25647 — Deserialization of Untrusted Data | cvebase