CVE-2022-25647 — HIGH (7.7)

Q: What is CVE-2022-25647?

CVE-2022-25647 is a vulnerability with a CVSS score of 7.7 (HIGH). The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Q: How severe is CVE-2022-25647?

CVE-2022-25647 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-25647?

Check the references section above for vendor advisories and patch information. Affected products include: Google Gson, Debian Debian Linux, Netapp Active Iq Unified Manager, Oracle Financial Services Crime And Compliance Management Studio, Oracle Graalvm.

Vulnerability Description

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Google	Gson	>= 2.2.3, < 2.8.9
Debian	Debian Linux	9.0
Netapp	Active Iq Unified Manager	-
Oracle	Financial Services Crime And Compliance Management Studio	8.0.8.2.0
Oracle	Graalvm	20.3.6
Oracle	Retail Order Broker	18.0

Related Weaknesses (CWE)

CWE-502

References

https://github.com/google/gson/pull/1991PatchThird Party Advisory
https://github.com/google/gson/pull/1991/commitsPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00015.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00009.htmlThird Party Advisory
https://security.netapp.com/advisory/ntap-20220901-0009/Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327Third Party Advisory
https://www.debian.org/security/2022/dsa-5227Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://github.com/google/gson/pull/1991PatchThird Party Advisory
https://github.com/google/gson/pull/1991/commitsPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00015.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00009.htmlThird Party Advisory
https://security.netapp.com/advisory/ntap-20220901-0009/Third Party Advisory
https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327Third Party Advisory
https://www.debian.org/security/2022/dsa-5227Third Party Advisory

FAQ

What is CVE-2022-25647?

CVE-2022-25647 is a vulnerability with a CVSS score of 7.7 (HIGH). The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

How severe is CVE-2022-25647?

CVE-2022-25647 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-25647?

Check the references section above for vendor advisories and patch information. Affected products include: Google Gson, Debian Debian Linux, Netapp Active Iq Unified Manager, Oracle Financial Services Crime And Compliance Management Studio, Oracle Graalvm.