You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The text was updated successfully, but these errors were encountered:
genesiscastillo
changed the title
Bug google-http-client-gson-1.42.0.jar MEDIUM Vulnerability
Bug google-http-client-gson-1.42.0.jar HEIGH Vulnerability
Jun 16, 2022
The complaint in the link is that Gson version before 2.8.9 are vulnerable. Head is currently importing 2.9.0 (#1582), and the first fixed version was imported in #1492, and is available in v1.42.0.
That CPE is weird. There is no version of https://github.com/google/gson that is v1.42.0. And that CPE isn't pointing at google-http-client-gson which does have a v1.42.0, but that version doesn't have the issue specified, because it requires a later version of Gson.
I guess NIST assumes since all Gson versions <2.8.9 are vulnerable, a mythical Gson version 1.42.0 would also be vulnerable. That said, the CPE tag does not apply to this repo, and this repo pins a non-vulnerable version of Gson since v1.42.0.
scanner
https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Agoogle&cpe_product=cpe%3A%2F%3Agoogle%3Agson&cpe_version=cpe%3A%2F%3Agoogle%3Agson%3A1.42.0
Atte.
Cesar
The text was updated successfully, but these errors were encountered: