Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-51074 (Medium) detected in json-path-2.8.0.jar #3919

Closed
mend-for-github-com bot opened this issue Jan 5, 2024 · 0 comments · Fixed by #4132
Closed

CVE-2023-51074 (Medium) detected in json-path-2.8.0.jar #3919

mend-for-github-com bot opened this issue Jan 5, 2024 · 0 comments · Fixed by #4132
Assignees
@dlvenable
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Milestone
v2.6.2

Comments

@mend-for-github-com
Copy link
Contributor

mend-for-github-com bot commented Jan 5, 2024
edited
Loading

CVE-2023-51074 - Medium Severity Vulnerability

Vulnerable Library - json-path-2.8.0.jar

A library to query and verify JSON

Library home page: https://github.com/jayway/JsonPath

Path to dependency file: /data-prepper-plugins/s3-source/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.8.0/b4ab3b7a9e425655a0ca65487bbbd6d7ddb75160/json-path-2.8.0.jar

Dependency Hierarchy:

  • wiremock-3.3.1.jar (Root Library)
    • json-path-2.8.0.jar (Vulnerable Library)

Found in HEAD commit: 90bdaa7e7833bdd504c817e49d4434b4d8880f56

Found in base branch: main

Vulnerability Details

json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.

Publish Date: 2023-12-27

URL: CVE-2023-51074

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-51074

Release Date: 2023-12-27

Fix Resolution: com.jayway.jsonpath:json-path:2.9.0
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Jan 5, 2024
@dlvenable dlvenable added this to the v2.6.2 milestone Jan 9, 2024
@mend-for-github-com mend-for-github-com bot changed the title CVE-2023-51074 (High) detected in json-path-2.8.0.jar CVE-2023-51074 (Medium) detected in json-path-2.8.0.jar Jan 11, 2024
@dlvenable dlvenable modified the milestones: v2.6.2, v2.7 Jan 17, 2024
@dlvenable dlvenable modified the milestones: v2.7, v2.6.2 Feb 14, 2024
@dlvenable dlvenable self-assigned this Feb 14, 2024
dlvenable added a commit to dlvenable/data-prepper that referenced this issue Feb 15, 2024
@dlvenable
Require json-path 2.9.0 to fix CVE-2023-51074. Resolves opensearch-pr…
56de3c1 
…oject#3919.

Signed-off-by: David Venable <[email protected]>
@dlvenable dlvenable mentioned this issue Feb 15, 2024
Merged
4 tasks
dlvenable added a commit that referenced this issue Feb 15, 2024
@dlvenable
Require json-path 2.9.0 to fix CVE-2023-51074. Resolves #3919. (#4132)
838744c 
Signed-off-by: David Venable <[email protected]>
@github-project-automation github-project-automation bot moved this from Unplanned to Done in Data Prepper Tracking Board Feb 15, 2024
opensearch-trigger-bot bot pushed a commit that referenced this issue Feb 15, 2024
@dlvenable @github-actions
Require json-path 2.9.0 to fix CVE-2023-51074. Resolves #3919. (#4132)
ee7dc56 
Signed-off-by: David Venable <[email protected]>
(cherry picked from commit 838744c)
dlvenable added a commit that referenced this issue Feb 16, 2024
@opensearch-trigger-bot @dlvenable
Require json-path 2.9.0 to fix CVE-2023-51074. Resolves #3919. (#4132) (
c0b413f 
#4133)

Signed-off-by: David Venable <[email protected]>
(cherry picked from commit 838744c)

Co-authored-by: David Venable <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dlvenable dlvenable

Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
Data Prepper Tracking Board
Status: Done
Milestone
v2.6.2
Development

Successfully merging a pull request may close this issue.

Require json-path 2.9.0 to fix CVE-2023-51074. Resolves #3919 dlvenable/data-prepper
1 participant
@dlvenable