CVE-2022-3171 Vulnerability #2961

gargshubham49 · 2024-06-03T06:12:40Z

We are using GCP dependencies with version 5.4.1
We got the HIGH severity vulnerability(CVE-2022-3171) in the library google-http-client-protobuf-1.44.1.jar which is included by following module:
com.google.cloud:spring-cloud-gcp-data-datastore:5.4.1

meltsufin · 2024-06-03T14:59:05Z

Can you please share your mvn dependency:tree output?
google-http-client-protobuf:1.44.1 depends on protobuf-java:1.21.12, which is not listed as vulnerable.
In any case we override protobuf-java version to 3.25.3.

burkedavison · 2024-06-03T17:14:07Z

Link showing what meltsufin@ mentions above:
https://github.com/googleapis/google-http-java-client/blob/v1.44.1/pom.xml#L601

gargshubham49 · 2024-06-04T05:23:15Z

Dependency graph shows protobuf-java version as 3.25.3

But the dependency check is showing the vulnerability for protobuf-java

meltsufin · 2024-06-04T13:22:04Z

What tool is that? I would suggest following up with them.
Closing. Please re-open if you can confirm that it's not a problem with the tool or interpretation of its output.

meltsufin added the datastore label Jun 3, 2024

meltsufin mentioned this issue Jun 3, 2024

deps: update dependency com.google.protobuf:protobuf-java to v3.25.3 googleapis/google-http-java-client#1818

Open

1 task

meltsufin added priority: p1 and removed priority: p1 labels Jun 3, 2024

meltsufin closed this as not planned Won't fix, can't repro, duplicate, stale Jun 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2022-3171 Vulnerability #2961

CVE-2022-3171 Vulnerability #2961

CVE-2022-3171 Vulnerability #2961

CVE-2022-3171 Vulnerability #2961

Comments