Dependency on the vulnerable org.json:json:20220320

Question

Dependency on the vulnerable org.json:json:20220320

Closed this issue 7 months ago · 8 comments

alok1111 commented 7 months ago

CVE-2023-5072
CVE-2022-45688

Expected Behavior

No dependencies with vulnerabilities

Current Behavior

2 High vulnerabilities

Possible Solution

Update org.json:json to the recent version

Answer 1 · 2024-02-15T14:31:43.000Z

Hello Team, can you please provide your thoughts about the issue? Is it safe to run the client in production? Do you have plans to update the dependency?

Answer 2 · 2024-02-15T14:36:53.000Z

Also, I noticed that you already have a PR that addresses one of the vulnerabilities, but you didn't merge it, provide any response or fix the issue yourself. Why?

Answer 3 · 2024-02-16T05:30:51.000Z

@alok1111 thanks for creating this ticket. I am taking a look at this and will update soon.

Answer 4 · 2024-02-27T09:11:06.000Z

@izaaz is there any news?

Answer 5 · 2024-02-27T20:04:39.000Z

@alok1111 the patch was just released in version 1.12.1

Answer 6 · 2024-02-28T06:30:50.000Z

Correction. The package has been deployed to a staging env. I'll update this issue once it's generally available.

Answer 7 · 2024-02-28T10:26:12.000Z

@izaaz thank you for the update.
1.21.1 fixes only one vulnerability - CVE-2022-45688. Would please fix also CVE-2023-5072? To do that you need to upgrade org.json:json at least to 20231013.
Also noticed that the org.json:json versions are out of sync between demo, main and test. So probably the project tests run on a wrong version.

Answer 8 · 2024-02-28T21:41:20.000Z

Thanks @alok1111. All packages are updated and use the version 20231013. The latest version 1.12.2 is now available.