Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade to JsonPath 2.9.0 #39328

Closed
mike-lloyd03 opened this issue Jan 29, 2024 · 2 comments
Closed

Upgrade to JsonPath 2.9.0 #39328

mike-lloyd03 opened this issue Jan 29, 2024 · 2 comments
Assignees
@bclozel
Labels
type: dependency-upgrade A dependency upgrade
Milestone
3.1.9

Comments

@mike-lloyd03
Copy link

mike-lloyd03 commented Jan 29, 2024
edited

com.jayway.jsonpath:json-path is vulnerable to a buffer overflow per (CVE-2023-51074](https://www.cve.org/CVERecord?id=CVE-2023-51074).

We are using 2.7.18 and this is being flagged by our SCA tool.

Please upgrade json-path to 2.9.0.

json-path/JsonPath#973

Thank you.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 29, 2024
@wilkinsona
Copy link
Member

Thanks. We're aware of the CVE and considering what to do here. In the meantime, please be aware that:

  • Spring Boot 2.7.x is out of OSS support and the earliest generally available release in which an upgrade to json-path 2.9.0 could be made would be a 3.1.x release.
  • You can override the version in your build using the json-path.version property
  • The situations in which you may actually be vulnerable are quite limited. Some further investigation of the flag raised by your SCA tool may identify it as a false alarm.

@mike-lloyd03
Copy link
Author

Thank you @wilkinsona

@philwebb philwebb added for: external-project For an external project and not something we can fix and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 29, 2024
@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Jan 30, 2024
@bclozel bclozel pinned this issue Jan 30, 2024
@bclozel bclozel changed the title com.jayway.jsonpath:json-path is vulnerable to Buffer Overflow: CVE-2023-51074 json-path is vulnerable to CVE-2023-51074 Jan 30, 2024
@bclozel bclozel self-assigned this Feb 4, 2024
@bclozel bclozel added type: dependency-upgrade A dependency upgrade and removed for: external-project For an external project and not something we can fix labels Feb 4, 2024
@bclozel bclozel added this to the 3.1.9 milestone Feb 4, 2024
@bclozel bclozel reopened this Feb 4, 2024
@bclozel bclozel changed the title json-path is vulnerable to CVE-2023-51074 Upgrade to JsonPath 2.9.0 Feb 4, 2024
@bclozel bclozel mentioned this issue Feb 4, 2024
Closed
@bclozel bclozel closed this as completed in 5706022 Feb 4, 2024
@scottfrederick scottfrederick mentioned this issue Feb 15, 2024
Closed
@ds-ext-kmassalski ds-ext-kmassalski mentioned this issue Feb 19, 2024
Closed
@wilkinsona wilkinsona unpinned this issue Feb 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bclozel bclozel

Labels
type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
3.1.9
Development

No branches or pull requests
5 participants
@bclozel @philwebb @wilkinsona @spring-projects-issues @mike-lloyd03