jackson-core-2.16.0.jar incorrectly flagged with CVE-2023-5072 (org.json library issue)

FasterXML / jackson-core

Core part of Jackson that defines Streaming API as well as basic shared abstractions

Apache License 2.0

2.25k stars 773 forks source link

jackson-core-2.16.0.jar incorrectly flagged with CVE-2023-5072 (org.json library issue) #1286

Closed miyagiborn closed 4 months ago

miyagiborn commented 4 months ago

Recently, when running the OWASP Dependency-Check tool on my project, jackson-core-2.16.0.jar was flagged with CVE-2023-5072.

cpe:2.3:a:fasterxml:jackson-modules-java8:2.16.0::::::: cpe:2.3:a:json-java_project:json-java:2.16.0::::::: pkg:maven/com.fasterxml.jackson.core/jackson-core@2.16.0

Does anybody have more information about whether this is affected by CVE-2023-5072, or if it's a false positive? Any updates or insights would be greatly appreciated.

Thank you.

cowtowncoder commented 4 months ago

@miyagiborn Looking at that link, this is not for Jackson at all:

Package
org.json:json (
[Maven](https://github.com/advisories?query=ecosystem%3Amaven)
)

so it is a false positive.

pjfanning commented 4 months ago

duplicate of https://github.com/FasterXML/jackson-core/issues/1139

cowtowncoder commented 4 months ago

... I somehow missed #1139 this even though searching for CVE. Thank you @pjfanning .