CVE-2023-5072 & CVE-2022-45688 found in jackson-core 2.16.0

Question

CVE-2023-5072 & CVE-2022-45688 found in jackson-core 2.16.0

KaeYan93 opened this issue 10 months ago · 3 comments

KaeYan93 commented 10 months ago

Hi jackson-core team,

When i scan my application, i saw 2 security vulnerabilities found by the owasp dependency check tool.

Can i confirm that for 2.16.0, are the following CVE-2023-5072 and CVE-2022-45688 resolved?

Answer 1 · 2023-11-20T08:30:17.000Z

Those are not Jackson CVEs. Closing.

Answer 2 · 2023-11-20T08:39:13.000Z

Hi, is jackson using org.json? This is the CVE of org.json and jackson is using this dependency.
Can i confirm the current version of org.json jackson is using?

I cannot find this transitive dependency from my IDE dependency analyzer though.

Answer 3 · 2023-11-20T20:28:56.000Z

@KaeYan93 Do your research first before filing issues that waste time of the development team.
We are not here to answer questions you are too lazy to find answers for on your own.

You should be able to quite easily figure out whether jackson-core uses org.json library or not: it does not, as per pom.xml that lists dependencies.
Or use https://mvnrepository.com:

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core

to see dependencies.