Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:High] net.minidev:json-smart Denial of Service (DoS)(due by 05/31/2023) #5417

Closed
2 tasks
pkfec opened this issue Apr 19, 2023 · 2 comments · Fixed by #5436
Closed
2 tasks

[Snyk:High] net.minidev:json-smart Denial of Service (DoS)(due by 05/31/2023) #5417

pkfec opened this issue Apr 19, 2023 · 2 comments · Fixed by #5436
Assignees
@tmpayton
Labels
Security: high Remediate within 30 days
Milestone
Sprint 21.4

Comments

@pkfec
Copy link
Contributor

pkfec commented Apr 19, 2023
edited by JonellaCulmer

Overview
net.minidev:json-smart is a Java JSON parser. Affected versions of this package are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object.

NOTE: Although this vulnerability was fixed in version 2.4.9 the maintainer recommends upgrading to 2.4.10, due to a remaining bug.

Introduced through: org.flywaydb:flyway-commandline@9.16.3
Fixed in: net.minidev:json-smart@2.4.9

Detailed paths
Introduced through: unknown:unknown@0.0.0 › org.flywaydb:flyway-commandline@9.16.3 › com.microsoft.azure:msal4j@1.13.7 › net.minidev:json-smart@2.4.8
Fix: Your dependencies are out of date, otherwise you would be using a newer net.minidev:json-smart than net.minidev:json-smart@2.4.8. Try reinstalling your dependencies. If the problem persists, one of your dependencies may be bundling outdated modules.
Introduced through: unknown:unknown@0.0.0 › org.flywaydb:flyway-commandline@9.16.3 › com.microsoft.azure:msal4j@1.13.7 › com.nimbusds:oauth2-oidc-sdk@9.35 › net.minidev:json-smart@2.4.8

https://app.snyk.io/org/fecgov/project/e6c155e9-f0ac-4a49-98fa-83c24f5b74b3#issue-SNYK-JAVA-NETMINIDEV-3369748

Action items:

  • Upgrade flyway to the latest version

Completion criteria

  • Snyk no longer flagging this error
@pkfec pkfec added the Security: high Remediate within 30 days label Apr 19, 2023
@pkfec pkfec added this to the Sprint 21.4 milestone Apr 19, 2023
@pkfec pkfec mentioned this issue Apr 19, 2023
Closed
2 tasks
@tmpayton tmpayton self-assigned this Apr 24, 2023
@pkfec pkfec mentioned this issue Apr 27, 2023
Closed
3 tasks
@pkfec
Copy link
Contributor Author

pkfec commented May 1, 2023

@tmpayton Flyway 9.17.0 is now available

@tmpayton
Copy link
Contributor

tmpayton commented May 1, 2023

@pkfec Thank you!

@cnlucas cnlucas mentioned this issue May 3, 2023
Closed
2 tasks
@tmpayton tmpayton mentioned this issue May 5, 2023
Merged
@patphongs patphongs mentioned this issue Feb 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tmpayton tmpayton

Labels
Security: high Remediate within 30 days
Projects
None yet
Milestone
Sprint 21.4
Development

Successfully merging a pull request may close this issue.

upgrade flyway v9.17.0 fecgov/openFEC
2 participants
@pkfec @tmpayton