You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
jettison includes json-java code( org/codehaus/jettison/json), so BDBA detected dependency json-java with unknown version on jettison and reported CVE-2022-45688. CVE-2022-45688:
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
Since jettison forks parts of json-java code and maintained by your own, is the latest version 1.5.4 really affected by this vulnerability?
From the fix commit(for CVE-2022-45688) in json-java, it seems affects the class that jettison doesn't include at all?
It would appreciated that jettison can help confirm the information if it's affected. Thanks.
The text was updated successfully, but these errors were encountered:
Hi @dkulp
Sorry to reach you again.
Currently we found another cve reported on json-java https://nvd.nist.gov/vuln/detail/CVE-2023-5072 , due to the license reference to json-java, our scan tool BDBA also reported this vulnn on jettison.
Would you help assess that if jettison is affected by the vulnn? According to their fix,The enhancement occurs on JSONObject. stleary/JSON-java#758 stleary/JSON-java#771
jettison includes json-java code( org/codehaus/jettison/json), so BDBA detected dependency json-java with unknown version on jettison and reported CVE-2022-45688.
CVE-2022-45688:
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
Since jettison forks parts of json-java code and maintained by your own, is the latest version 1.5.4 really affected by this vulnerability?
From the fix commit(for CVE-2022-45688) in json-java, it seems affects the class that jettison doesn't include at all?
It would appreciated that jettison can help confirm the information if it's affected. Thanks.
The text was updated successfully, but these errors were encountered: