schema-registry-serde:1.1.17 transient dependency org.json:json:jar:20230227 CVE-2023-5072

Question

schema-registry-serde:1.1.17 transient dependency org.json:json:jar:20230227 CVE-2023-5072

fredrikls opened this issue a year ago · 3 comments

Currently:
software.amazon.glue:schema-registry-serde:jar:1.1.17 → com.github.erosb:everit-json-schema:jar:1.14.2 → org.json:json:jar:20230227

Fix:
Fixed in com.github.erosb:everit-json-schema:jar:1.14.3 -> org.json:json:jar:20231013

Answer 1 · 2024-02-22T11:19:47.000Z

It looks like this was released on the January one so it probably can be closed?
https://github.com/awslabs/aws-glue-schema-registry/releases/tag/v1.1.18

Answer 2 · 2024-04-26T18:57:32.000Z

We see still the same issue also for 1.1.19, for some reason the transitive json version shown in intellij for our project doesnt match the one in source
Our project:

From the source code:

And it has been flagged by our snyk scan also

Answer 3 · 2024-05-08T18:34:14.000Z

Any updates ? I've created a PR that should fix it