Security scan tool (Black Duck Binary Analysis) detected CVE-2022-45688, is the latest version 1.5.4 really affected by this vulnerability?

[ChewuuHi]

jettison includes json-java code（ org/codehaus/jettison/json), so BDBA detected dependency json-java with unknown version on jettison and reported CVE-2022-45688.
CVE-2022-45688:
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Since jettison forks parts of json-java code and maintained by your own, is the latest version 1.5.4 really affected by this vulnerability?
From the fix commit(for CVE-2022-45688) in json-java, it seems affects the class that jettison doesn't include at all?

It would appreciated that jettison can help confirm the information if it's affected. Thanks.

[dkulp]

No, it's not affected as jettison does not contain any of the XML related things that are part of JSON-java.

[ChewuuHi]

Hi @dkulp
Sorry to reach you again.
Currently we found another cve reported on json-java https://nvd.nist.gov/vuln/detail/CVE-2023-5072 , due to the license reference to json-java, our scan tool BDBA also reported this vulnn on jettison.
Would you help assess that if jettison is affected by the vulnn? According to their fix,The enhancement occurs on JSONObject.
stleary/JSON-java#758
stleary/JSON-java#771