PT-2022-7196 · Google+6 · Gson+9
Marcono1234
·
Published
2022-05-01
·
Updated
2026-05-22
·
CVE-2022-25647
CVSS v3.1
7.7
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
com.google.code.gson:gson versions prior to 2.8.9
Bitbucket Data Center and Server versions 7.17.0, 7.21.0, 8.7.0, 8.8.0, 8.9.0, 8.10.0, 8.11.0, and 8.12.0
Description
The issue is related to the deserialization mechanism in the Gson library, which can be exploited by a remote attacker to conduct a denial of service (DoS) attack. This is due to the
writeReplace() method in internal classes allowing the deserialization of untrusted data.Recommendations
For com.google.code.gson:gson versions prior to 2.8.9, update to version 2.8.9 or later.
For Bitbucket Data Center and Server 7.21, upgrade to a release greater than or equal to 7.21.15.
For Bitbucket Data Center and Server 8.9, upgrade to a release greater than or equal to 8.9.4.
For Bitbucket Data Center and Server 8.10, upgrade to a release greater than or equal to 8.10.4.
For Bitbucket Data Center and Server 8.11, upgrade to a release greater than or equal to 8.11.3.
For Bitbucket Data Center and Server 8.12, upgrade to a release greater than or equal to 8.12.1.
Fix
DoS
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Bitbucket
Bitbucket Server
Gson
Jira
Jira Service Management Server
Linuxmint
Suse
Ubuntu