Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in org.json:json:20220320 #23565

Closed
Patras3 opened this issue Feb 2, 2023 · 5 comments
Closed

Vulnerability in org.json:json:20220320 #23565

Patras3 opened this issue Feb 2, 2023 · 5 comments
Labels
security Pull requests that address a security vulnerability severity:high Vulnerability scan classification for High Severity issues Source: Internal PR or issue was opened by an employee Team: Integration Type: Defect
Milestone
5.3.0

Comments

@Patras3
Copy link
Contributor

Patras3 commented Feb 2, 2023
edited

org.json:json:20220320
CVE-2022-45688
https://nvd.nist.gov/vuln/detail/CVE-2022-45688

The same problem is for 5.2, 5.1 and 5.0 version.

GH issue from org.json
stleary/JSON-java#708
@Patras3 Patras3 added Type: Defect Source: Internal PR or issue was opened by an employee security Pull requests that address a security vulnerability severity:high Vulnerability scan classification for High Severity issues Team: Integration labels Feb 2, 2023
@Patras3 Patras3 added this to the 5.3 Backlog milestone Feb 2, 2023
@sumnerib
Copy link
Contributor

sumnerib commented Mar 1, 2023
edited

Also affects:

  • jackson-core-2.14.0.jar and json-path-2.4.0.jar in 4.2.z, 5.0.z, 5.1.z, 5.2.z, and master.
  • json-smart-2.4.7.jar, google-http-client-gson-1.41.8.jar, accessors-smart-2.4.7.jar, and google-http-client-jackson2-1.36.0.jar in 5.0.z, 5.1.z, 5.2.z, and master
  • json-utils-2.17.264.jar in 5.2.z and master

This was referenced Mar 15, 2023
Merged
Merged
Merged
Merged
ldziedziul added a commit that referenced this issue Mar 15, 2023
@ldziedziul
Bump everit-json-schema to mitigate CVE-2022-45688 [5.1.z] (#23971)
2796e03 
Related to #23565

Backport of #23935

Checklist:
- [x] Labels (`Team:`, `Type:`, `Source:`, `Module:`) and Milestone set
- [x] Label `Add to Release Notes` or `Not Release Notes content` set
- [x] Request reviewers if possible
- [x] Send backports/forwardports if fix needs to be applied to
past/future releases
- [x] New public APIs have `@Nonnull/@Nullable` annotations
- [x] New public APIs have `@since` tags in Javadoc
ldziedziul added a commit that referenced this issue Mar 15, 2023
@ldziedziul
Bump everit-json-schema to mitigate CVE-2022-45688 [5.0.z] (#23972)
82c83fc 
Related to #23565

Checklist:
- [x] Labels (`Team:`, `Type:`, `Source:`, `Module:`) and Milestone set
- [x] Label `Add to Release Notes` or `Not Release Notes content` set
- [x] Request reviewers if possible
- [x] Send backports/forwardports if fix needs to be applied to
past/future releases
- [x] New public APIs have `@Nonnull/@Nullable` annotations
- [x] New public APIs have `@since` tags in Javadoc
ldziedziul added a commit that referenced this issue Mar 15, 2023
@ldziedziul
Bump everit-json-schema to mitigate CVE-2022-45688 (#23970)
da229ca 
Related to #23565

Forward port of #23935

Checklist:
- [x] Labels (`Team:`, `Type:`, `Source:`, `Module:`) and Milestone set
- [x] Label `Add to Release Notes` or `Not Release Notes content` set
- [x] Request reviewers if possible
- [x] Send backports/forwardports if fix needs to be applied to
past/future releases
- [x] New public APIs have `@Nonnull/@Nullable` annotations
- [x] New public APIs have `@since` tags in Javadoc
@abelsromero
Copy link

Hi 👋 Sorry to ask, but is there any availability for when new releases will be available? Thanks!

@sumnerib
Copy link
Contributor

Hi @abelsromero 👋 The latest version 5.2.3 has already been released with the patched dependency: #23935

@abelsromero
Copy link

Thanks @sumnerib, sadly we are in another branch and we can't just bump it. We use 5.0.x but I didn't want to make it about our use case only 😅 I hope we all get the different releases eventually.

@TomaszGaweda
Copy link
Contributor

Closing as the solution was merged into all branches

@AyberkSorgun AyberkSorgun modified the milestones: 5.3 Backlog, 5.3.0 May 10, 2023
@RyanHolstien RyanHolstien mentioned this issue May 30, 2023
Merged
5 tasks
@abelsromero abelsromero mentioned this issue Oct 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Pull requests that address a security vulnerability severity:high Vulnerability scan classification for High Severity issues Source: Internal PR or issue was opened by an employee Team: Integration Type: Defect
Projects
None yet
Milestone
5.3.0
Development

No branches or pull requests
5 participants
@abelsromero @TomaszGaweda @AyberkSorgun @sumnerib @Patras3