Security vulnerability issue for GAM API version 5.1.0
47 views
Skip to first unread message
ARS API Test
Jun 5, 2023, 6:18:34 AM6/5/23
to Google Ad Manager API Forum
Hi Team,
We are using GAM API for automation testing and synk is used to check the vulnerability/issues in the code. After upgrading the API version from 4.18.0 to 5.1.0 for below dependencies, getting few security risks. Can you please review and fix those issues?. Please let us know if any other suggestions.
Dependency used:
<dependency>
<groupId>com.google.api-ads</groupId>
<artifactId>ads-lib</artifactId>
<version>5.1.0</version>
</dependency>
<dependency>
<groupId>com.google.api-ads</groupId>
<artifactId>dfp-axis</artifactId>
<version>5.1.0</version>
</dependency>
<groupId>com.google.api-ads</groupId>
<artifactId>ads-lib</artifactId>
<version>5.1.0</version>
</dependency>
<dependency>
<groupId>com.google.api-ads</groupId>
<artifactId>dfp-axis</artifactId>
<version>5.1.0</version>
</dependency>
Vulnerability details:
org.apache.httpcomponents:httpclient Information Exposure
- Fixed inorg.apache.httpcomponents:httpclient@4.1
- Exploit maturityNO KNOWN EXPLOIT
Show less detail
Detailed paths
- Introduced through: com.paramount.qetech:qetech-ads...@1.0.32 › com.google.api-ads:dfp-...@4.19.0 › com.google.api-ads:ads-li...@4.19.0 › com.google.http-client:google-ht...@1.23.0 › org.apache.httpcomponents:httpc...@4.0.1
Security information
Factors contributing to the scoring:
Snyk: CVSS 4.3 - Medium Severity
- NVD: Not available. NVD has not yet published its analysis.
Overview
org.apache.httpcomponents:httpclient Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.
2. org.apache.httpcomponents:httpclient Directory Traversal
- Introduced throughcom.google.api-ads:dfp-...@4.19.0
- Fixed inorg.apache.httpcomponents:httpc...@4.5.3
- Exploit maturityNO KNOWN EXPLOIT
Show less detail
Detailed paths
- Introduced through: com.paramount.qetech:qetech-ads...@1.0.32 › com.google.api-ads:dfp-...@4.19.0 › com.google.api-ads:ads-li...@4.19.0 › com.google.http-client:google-ht...@1.23.0 › org.apache.httpcomponents:httpc...@4.0.1
Security information
Factors contributing to the scoring:
Snyk: CVSS 5.3 - Medium Severity
- NVD: NVD only publishes analysis of vulnerabilities which are assigned a CVE ID. This vulnerability currently does not have an assigned CVE ID.
Overview
org.apache.httpcomponents:httpclient is a HttpClient component of the Apache HttpComponents project.
Affected versions of this package are vulnerable to Directory Traversal. String input by user is not validated for the presence of leading character / and is passed to the constructor as path information, resulting in a Directory Traversal vulnerability.
Ad Manager API Forum Advisor
Jun 6, 2023, 12:50:02 PM6/6/23
to ars_cb...@viacom.com, google-doubleclick...@googlegroups.com
Hi,
Thank you for contacting the Ad Manager API support team.
Based on the information provided, I understand that after upgrading the API version, you are noticing vulnerability/issues in the code. Could you please provide us with the following details.
Thank you for contacting the Ad Manager API support team.
Based on the information provided, I understand that after upgrading the API version, you are noticing vulnerability/issues in the code. Could you please provide us with the following details.
- UserService.getCurrentUser (if unable, you may just provide the email address used to make API requests).
- Complete SOAP request and response logs from API (SOAP logging must be enabled).
- Network code.
- Client library which you are using.
This message is in relation to case "ref:_00D1U1174p._5004Q2m9OIi:ref"
Thanks,
Thanks,
 |
Ad Manager API Team |
Reply all
Reply to author
Forward
0 new messages