Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-45688 in org.json/json #9752

Closed
melloware opened this issue Feb 1, 2023 · 11 comments · Fixed by #9845
Closed

CVE-2022-45688 in org.json/json #9752

melloware opened this issue Feb 1, 2023 · 11 comments · Fixed by #9845
Assignees
@melloware
Labels
8.0.24 10.0.19 11.0.12 12.0.6 discussion Item needs to be discussed by core devs 🔒 security Security related issue or enhancement
Milestone
13.0.0

Comments

@melloware
Copy link
Member

See: stleary/JSON-java#708

Reported: jeremylong/DependencyCheck#5401

Because PF shades org.json.
@melloware melloware added the 🔒 security Security related issue or enhancement label Feb 1, 2023
@melloware melloware self-assigned this Feb 1, 2023
@melloware melloware added this to the 13.0.0 milestone Feb 1, 2023
@melloware
Copy link
Member Author

cc @blutorange

@melloware
Copy link
Member Author

melloware commented Feb 1, 2023
edited

OK PF is NOT vulnerable to this and should not be reported. When we shade the JAR it does not include the XML classes. Here is the PF 12.0.0 JAR in Maven Central

image

Here is the contents of the whole org.json JAR but we are exlcuding the vulnerable XML classes.

image

@melloware melloware removed this from the 13.0.0 milestone Feb 1, 2023
@melloware melloware added the Resolution: Wontfix Issue will not be fixed due to technical limitations label Feb 1, 2023
@melloware
Copy link
Member Author

Does anyone agree with my assessment?

@melloware melloware added Resolution: Invalid Issue or pull request is not valid in the latest version discussion Item needs to be discussed by core devs and removed Resolution: Wontfix Issue will not be fixed due to technical limitations labels Feb 1, 2023
@blutorange
Copy link
Contributor

blutorange commented Feb 1, 2023
edited

The CVE explicitly only mentions XML.toJSONObject (and only that method). In principle,that method could still call a method from another non-excluded class that contains the vulnerable logic. But checking the source code and the proposed commit that fixes the vulnerability (https://github.com/stleary/JSON-java/pull/720/files), the logic that does the parsing is also in the XML classes. So I would tend to agree that PrimeFaces is not affected.

@melloware
Copy link
Member Author

cc @cnsgithub

@melloware melloware removed the 🔒 security Security related issue or enhancement label Feb 8, 2023
@AndreasIgelCC
Copy link

@melloware, @blutorange: same result for Primefaces version 8.0.22?

@melloware
Copy link
Member Author

Yes for this specific CVE I am confident it's not vulnerable. However there is chatter on the JSON project they may open a new CVE similar but not the same. I am waiting to analyze that.

@melloware melloware mentioned this issue Feb 27, 2023
Merged
@melloware melloware added this to the 13.0.0 milestone Feb 27, 2023
@AndreasIgelCC
Copy link

@melloware could you please release that for 8.0.X too?

@tandraschko
Copy link
Member

@AndreasIgelCC please see: https://github.com/primefaces/primefaces#community--elite--pro

@svenhaag
Copy link

svenhaag commented Sep 27, 2023
edited

@AndreasIgelCC please see: https://github.com/primefaces/primefaces#community--elite--pro

Hi guys, when can the 8.0.24 release be expected?
Also see my related question here: See. https://github.com/orgs/primefaces/discussions/85
@mertsincan

@mertsincan mertsincan added 12.0.6 11.0.12 10.0.19 🔒 security Security related issue or enhancement discussion Item needs to be discussed by core devs and removed Resolution: Invalid Issue or pull request is not valid in the latest version discussion Item needs to be discussed by core devs labels Oct 3, 2023
@mertsincan
Copy link
Member

Thanks @melloware ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@melloware melloware

Labels
8.0.24 10.0.19 11.0.12 12.0.6 discussion Item needs to be discussed by core devs 🔒 security Security related issue or enhancement
Projects
None yet
Milestone
13.0.0
Development

Successfully merging a pull request may close this issue.

Bump json from 20220924 to 20230227 primefaces/primefaces
6 participants
@svenhaag @blutorange @tandraschko @AndreasIgelCC @melloware @mertsincan