Guava version used in this code base has known vulnerabilities. #690
Description
Our client (Ernst & Young) is using MINIO on one of it's projects. Snyk, our code scanning tool reports the following A9 (known vulnerability) in your code:
Deserialization of Untrusted Data
Vulnerable module: com.google.guava:guava
Introduced through: io.minio:[email protected]
Detailed paths
Introduced through: com.ey:[email protected] › io.minio:[email protected] › com.google.guava:[email protected]
Overview
com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.
Affected versions of this package are vulnerable to Deserialization of Untrusted Data.
During deserialization, two Guava classes accept a caller-specified size parameter and eagerly allocate an array of that size:
AtomicDoubleArray (when serialized with Java serialization)
CompoundOrdering (when serialized with GWT serialization)
An attacker may be able to send a specially crafted request which with then cause the server to allocate all it's memory, without validation whether the data size is reasonable.
More information can be found here: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236
The version of Guava that you are using is VERY old and should be upgraded to fix this issue and others that I see have been reported.