jackson-core-2.16.0.jar incorrectly flagged with CVE-2023-5072 (org.json library issue)

Question

jackson-core-2.16.0.jar incorrectly flagged with CVE-2023-5072 (org.json library issue)

miyagiborn opened this issue 4 months ago · 3 comments

Recently, when running the OWASP Dependency-Check tool on my project, jackson-core-2.16.0.jar was flagged with CVE-2023-5072.

cpe:2.3:a:fasterxml:jackson-modules-java8:2.16.0:::::::*
cpe:2.3:a:json-java_project:json-java:2.16.0:::::::*
pkg:maven/com.fasterxml.jackson.core/jackson-core@2.16.0

Does anybody have more information about whether this is affected by CVE-2023-5072, or if it's a false positive? Any updates or insights would be greatly appreciated.

Thank you.

Answer 1 · 2024-05-03T17:51:47.000Z

@miyagiborn Looking at that link, this is not for Jackson at all:

Package
org.json:json (
[Maven](https://github.com/advisories?query=ecosystem%3Amaven)
)

so it is a false positive.

Answer 2 · 2024-05-03T18:46:31.000Z

duplicate of #1139

Answer 3 · 2024-05-04T00:25:19.000Z

... I somehow missed #1139 this even though searching for CVE. Thank you @pjfanning .