CVE-2023-5072 (High) detected in json-20230618.jar - autoclosed #3522

mend-for-github-com · 2023-10-18T13:32:30Z

CVE-2023-5072 - High Severity Vulnerability

Vulnerable Library - json-20230618.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

    The files in this package implement JSON encoders/decoders in Java.
    It also includes the capability to convert between JSON and XML, HTTP
    headers, Cookies, and CDL.

    This is a reference implementation. There is a large number of JSON packages
    in Java. Perhaps someday the Java community will standardize on one. Until
    then, choose carefully.</p>

Path to dependency file: /data-prepper-plugins/kafka-plugins/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar

Dependency Hierarchy:

anomaly-detector-processor-2.6.0-SNAPSHOT (Root Library)
- ❌ json-20230618.jar (Vulnerable Library)

Found in HEAD commit: 5b822f31bcf20d963c76d9b2319604252b9fa5d1

Found in base branch: main

Vulnerability Details

Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

Publish Date: 2023-10-12

URL: CVE-2023-5072

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rm7j-f5g5-27vv

Release Date: 2023-10-12

Fix Resolution: org.json:json:20231013

The text was updated successfully, but these errors were encountered:

… This includes a transitive dependency update to parsson to resolve CVE-2023-4043. Update required version of org.json library to resolve CVE-2023-5072. Require a Zookeeper version which resolves CVE-2023-44981. Require a transitive Scala library to resolve CVE-2023-46122. Resolves opensearch-project#3588, opensearch-project#3522, opensearch-project#3491, opensearch-project#3547 Signed-off-by: David Venable <[email protected]>

… This includes a transitive dependency update to parsson to resolve CVE-2023-4043. (#3689) Update required version of org.json library to resolve CVE-2023-5072. Require a Zookeeper version which resolves CVE-2023-44981. Require a transitive Scala library to resolve CVE-2023-46122. Resolves #3588, #3522, #3491, #3547 Signed-off-by: David Venable <[email protected]>

mend-for-github-com · 2023-11-27T17:04:48Z

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Oct 18, 2023

github-project-automation bot added this to Data Prepper Tracking Board Oct 18, 2023

github-project-automation bot moved this to Unplanned in Data Prepper Tracking Board Oct 18, 2023

github-actions bot added the untriaged label Oct 18, 2023

dlvenable removed the untriaged label Oct 24, 2023

dlvenable added this to the v2.6 milestone Oct 24, 2023

dlvenable self-assigned this Oct 24, 2023

dlvenable mentioned this issue Nov 21, 2023

Updates to OpenSearch dependencies and other dependencies for CVE fixes #3689

Merged

4 tasks

mend-for-github-com bot changed the title ~~CVE-2023-5072 (High) detected in json-20230618.jar~~ CVE-2023-5072 (High) detected in json-20230618.jar - autoclosed Nov 27, 2023

mend-for-github-com bot closed this as completed Nov 27, 2023

github-project-automation bot moved this from Unplanned to Done in Data Prepper Tracking Board Nov 27, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-5072 (High) detected in json-20230618.jar - autoclosed #3522

CVE-2023-5072 (High) detected in json-20230618.jar - autoclosed #3522

mend-for-github-com bot commented Oct 18, 2023 •

edited

Loading

mend-for-github-com bot commented Nov 27, 2023

CVE-2023-5072 (High) detected in json-20230618.jar - autoclosed #3522

CVE-2023-5072 (High) detected in json-20230618.jar - autoclosed #3522

Comments

mend-for-github-com bot commented Oct 18, 2023 • edited Loading

CVE-2023-5072 - High Severity Vulnerability

mend-for-github-com bot commented Nov 27, 2023

mend-for-github-com bot commented Oct 18, 2023 •

edited

Loading