samples-java icon indicating copy to clipboard operation
samples-java copied to clipboard

Published 20 hours ago verified publisher icon temporalio

error_prone_core-2.16.jar: 1 vulnerabilities (highest severity is: 7.5)

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

Vulnerable Library - error_prone_core-2.16.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (error_prone_core version) Remediation Available
CVE-2022-3171 High 7.5 protobuf-java-3.19.2.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-3171

Vulnerable Library - protobuf-java-3.19.2.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.19.2/e958ce38f96b612d3819ff1c753d4d70609aea74/protobuf-java-3.19.2.jar

Dependency Hierarchy:

  • error_prone_core-2.16.jar (Root Library)
    • :x: protobuf-java-3.19.2.jar (Vulnerable Library)

Found in HEAD commit: a098522a3d94dca5cfac985284941f2c5b8d28ca

Found in base branch: main

Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7

mend-for-github-com[bot] avatar Oct 25 '22 23:10 mend-for-github-com[bot]