stefankoegl
commented
1 year ago The CVE is about a different jsonpointer package (Node, not Python). If you think that it might also relate to this one, can you please point out how?
Closed ekomarova closed 1 year ago
stefankoegl
commented
1 year ago The CVE is about a different jsonpointer package (Node, not Python). If you think that it might also relate to this one, can you please point out how?
ekomarova
commented
1 year ago I don't really know for sure what jsonpointer is, because for me it's just a dependency for conda from conda-forge https://github.com/conda-forge/jsonpointer-feedstock. I thought that probably here might just be a different implementation of jsonpointer. But if it's a different package with a different code, then this CVE is not applicable
stefankoegl
commented
1 year ago It is a different implementation, with its own source; completely independent of the one referenced in the CVE. Closing.
ekomarova
commented
1 year ago Thanks for the explanation!
It looks like jsonpointer is affected by https://nvd.nist.gov/vuln/detail/CVE-2021-23807 up to v5.0.0. Is it possible to create a patch to fix this?