Java: 4.30.x depends on gson 2.8.7 (CVE-2022-25647)

[cykl]

What version of protobuf and what language are you using?

Version: 4.30.0 & 4.30.1
Language: Java

What operating system (Linux, Windows, ...) and version?

N/A

What runtime / compiler are you using (e.g., python version or gcc version)

N/A

What did you do?

Added protobuf-java 4.30.1 as a dependency using Maven:

        <dependency>
            <groupId>com.google.protobuf</groupId>
            <artifactId>protobuf-java</artifactId>
            <version>4.30.1</version>
        </dependency>

What did you expect to see

protobuf-java-util should not depend on a vulnerable version of gson. It should use gson 2.8.9.

What did you see instead?

mvn dependency:tree -Dincludes=com.google.protobuf,com.google.code.gson:gson

[INFO] +- com.google.protobuf:protobuf-java:jar:4.30.1:compile
[INFO] \- com.google.protobuf:protobuf-java-util:jar:4.30.1:compile
[INFO]    \- com.google.code.gson:gson:jar:2.8.7:runtime

Here we can see that 4.30.1 depends on com.google.code.gson:gson:jar:2.8.7.

gson 2.8.7 is more than 2 year olds and has a known vulnerability CVE-2022-25647. See https://mvnrepository.com/artifact/com.google.code.gson/gson/2.8.7.

Trivy confirm the issue

Java (jar)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│                  Library                   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ com.google.code.gson:gson (gson-2.8.7.jar) │ CVE-2022-25647 │ HIGH     │ fixed  │ 2.8.7             │ 2.8.9         │ com.google.code.gson-gson: Deserialization of Untrusted Data │
│                                            │                │          │        │                   │               │ in com.google.code.gson-gson                                 │
│                                            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25647                   │
└────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

I checked protobuf-java-util's pom file. It confirmed that the vulnerable gson version comes from the protobuf release and not some override coming from my Maven project.

https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java-util/4.30.1/protobuf-java-util-4.30.1.pom

Anything else we should know about your project / environment

4.29.x was using gson 2.8.9 which has no known CVE. The regression occurred between 4.29.3 and 4.30.0.

It tried to spot the change using git diff v29.3..v30.0. I saw a couple of changes in MODULE.bazel related to Maven / gson but I'm not familiar enough with Bazel to understand what is going on.