Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security scan tool (Black Duck Binary Analysis) detected CVE-2022-45688, is the latest version 1.5.4 really affected by this vulnerability? #77

Closed
ChewuuHi opened this issue Jun 12, 2023 · 2 comments

Comments

@ChewuuHi
Copy link

jettison includes json-java code( org/codehaus/jettison/json), so BDBA detected dependency json-java with unknown version on jettison and reported CVE-2022-45688.
CVE-2022-45688:
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Since jettison forks parts of json-java code and maintained by your own, is the latest version 1.5.4 really affected by this vulnerability?
From the fix commit(for CVE-2022-45688) in json-java, it seems affects the class that jettison doesn't include at all?
image

It would appreciated that jettison can help confirm the information if it's affected. Thanks.

@dkulp
Copy link
Contributor

dkulp commented Jun 12, 2023

No, it's not affected as jettison does not contain any of the XML related things that are part of JSON-java.

@dkulp dkulp closed this as completed Jun 12, 2023
@ChewuuHi
Copy link
Author

ChewuuHi commented Oct 30, 2023

Hi @dkulp
Sorry to reach you again.
Currently we found another cve reported on json-java https://nvd.nist.gov/vuln/detail/CVE-2023-5072 , due to the license reference to json-java, our scan tool BDBA also reported this vulnn on jettison.
Would you help assess that if jettison is affected by the vulnn? According to their fix,The enhancement occurs on JSONObject.
stleary/JSON-java#758
stleary/JSON-java#771

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants