JSON Smart Security Vulnerability

[bperino]

JSON Smart has not been updated in a long time and has a security vulnerability associated with it: https://nvd.nist.gov/vuln/detail/CVE-2021-27568

Please allow us to exclude JSON Smart and use a different provider.

[exabrial]

Please allow us to exclude JSON Smart and use a different provider.

It's already possible :) see here: https://github.com/json-path/JsonPath/blob/master/README.md#jsonprovider-spi

To exclude it from your application, simply perform an mvn dependenecy:tree. You would see this:

[INFO] +- com.jayway.jsonpath:json-path:jar:2.5.0:compile
[INFO] |  \- net.minidev:json-smart:jar:2.3:compile
[INFO] |     \- net.minidev:accessors-smart:jar:1.2:compile
[INFO] |        \- org.ow2.asm:asm:jar:5.0.4:compile

then you can exclude it in your pom.xml:

		<dependency>
			<groupId>com.jayway.jsonpath</groupId>
			<artifactId>json-path</artifactId>
			<version>2.5.0</version>
			<scope>compile</scope>
			<exclusions>
				<exclusion>
					<groupId>net.minidev</groupId>
					<artifactId>json-smart</artifactId>
				</exclusion>
			</exclusions>
		</dependency>

If possible, I would submit a PR removing or upgrading JSON Smart support to help the author out.

[bperino]

That indeed did work. Interesting issue we ran into on our side though. It looks like Spring tries to decorate its message converters with JsonPath if it finds it on the classpath. I had to override the configuration class to prevent this:

public class SpringDataWebConfiguration {

  @Override
  public void extendMessageConverters(List<HttpMessageConverter<?>> converters) {
  
	  if (ClassUtils.isPresent("com.jayway.jsonpath.DocumentContext", context.getClassLoader())
			  && ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", context.getClassLoader())) {
  
		  ObjectMapper mapper = getUniqueBean(ObjectMapper.class, context, ObjectMapper::new);
  
		  ProjectingJackson2HttpMessageConverter converter = new ProjectingJackson2HttpMessageConverter(mapper);
		  converter.setBeanFactory(context);
		  forwardBeanClassLoader(converter);
  
		  converters.add(0, converter);
	  }
  
	  if (ClassUtils.isPresent("org.xmlbeam.XBProjector", context.getClassLoader())) {
  
		  converters.add(0, context.getBeanProvider(XmlBeamHttpMessageConverter.class) //
				  .getIfAvailable(() -> new XmlBeamHttpMessageConverter()));
	  }
  }
}

Source https://github.com/spring-projects/spring-data-commons/blob/master/src/main/java/org/springframework/data/web/config/SpringDataWebConfiguration.java#L162

[erlioniel]

@exabrial thank you for the code snippet, it's working like a charm, however have a few comments about it:

1. Maybe it's worth to mention it in the documentation section?
2. I would actually prefer if jsonpath will go without any json-parsing library and will dynamically check if there any library available to use, instead requiring manual configuration & selection of json provider. Could you please share a reason why the current solution was preferred?

[r0bb3n]

I'd like to add, that the json-smart project is (again) searching for new maintainer, see the update here and the indicating comment on the CVE-2021-27568 fixing issue.
Maybe it is worth to consider a switch to a different default library with larger community?

[UrielCh]

just release:

• json-smart-action 2.4.1
• json-smart 2.4.1
• minidev-parent 2.4.1
• accessors-smart 1.3

All versions number increased.
no more JUnit 4, I use JUnit 5

[UrielCh]

JSON-smart is now maintained, for a week or two.

if you have some requests, do them quickly.

CVE-2021-27568 is fixed for JSON-SMART V2

[rajivbandi]

Does this mean that a Json Path release of v2.6.0 would include JSON-smart v2.4.1 where the CVE is fixed ?
If yes, when can we expect the Json Path release?

[kallestenflo]

Fixed in 2.6.0