jackson-core-2.16.0.jar incorrectly flagged with CVE-2023-5072 (org.json library issue)
miyagiborn opened this issue · 3 comments
miyagiborn commented
Recently, when running the OWASP Dependency-Check tool on my project, jackson-core-2.16.0.jar was flagged with CVE-2023-5072.
cpe:2.3:a:fasterxml:jackson-modules-java8:2.16.0:::::::*
cpe:2.3:a:json-java_project:json-java:2.16.0:::::::*
pkg:maven/com.fasterxml.jackson.core/jackson-core@2.16.0
Does anybody have more information about whether this is affected by CVE-2023-5072, or if it's a false positive? Any updates or insights would be greatly appreciated.
Thank you.
cowtowncoder commented
@miyagiborn Looking at that link, this is not for Jackson at all:
Package
org.json:json (
[Maven](https://github.com/advisories?query=ecosystem%3Amaven)
)
so it is a false positive.
cowtowncoder commented
... I somehow missed #1139 this even though searching for CVE. Thank you @pjfanning .