schema-registry-serde:1.1.17 transient dependency org.json:json:jar:20230227 CVE-2023-5072 #317

fredrikls · 2023-12-22T10:48:47Z

Currently:
software.amazon.glue:schema-registry-serde:jar:1.1.17 → com.github.erosb:everit-json-schema:jar:1.14.2 → org.json:json:jar:20230227

Fix:
Fixed in com.github.erosb:everit-json-schema:jar:1.14.3 -> org.json:json:jar:20231013

lapostoj · 2024-02-22T11:19:47Z

It looks like this was released on the January one so it probably can be closed?
https://github.com/awslabs/aws-glue-schema-registry/releases/tag/v1.1.18

yhgillet · 2024-04-26T18:57:32Z

We see still the same issue also for 1.1.19, for some reason the transitive json version shown in intellij for our project doesnt match the one in source
Our project:

From the source code:

And it has been flagged by our snyk scan also

yhgillet · 2024-05-08T18:34:14Z

Any updates ? I've created a PR that should fix it

blacktooth added PR welcome Users are welcome to submit PR dependencies Pull requests that update a dependency file labels Jan 3, 2024

yhgillet mentioned this issue Apr 26, 2024

Fix for CVE-2023-5072 with transitive json dependency #342

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

schema-registry-serde:1.1.17 transient dependency org.json:json:jar:20230227 CVE-2023-5072 #317

schema-registry-serde:1.1.17 transient dependency org.json:json:jar:20230227 CVE-2023-5072 #317

fredrikls commented Dec 22, 2023

lapostoj commented Feb 22, 2024

yhgillet commented Apr 26, 2024 •

edited

Loading

yhgillet commented May 8, 2024

schema-registry-serde:1.1.17 transient dependency org.json:json:jar:20230227 CVE-2023-5072 #317

schema-registry-serde:1.1.17 transient dependency org.json:json:jar:20230227 CVE-2023-5072 #317

Comments

fredrikls commented Dec 22, 2023

lapostoj commented Feb 22, 2024

yhgillet commented Apr 26, 2024 • edited Loading

yhgillet commented May 8, 2024

yhgillet commented Apr 26, 2024 •

edited

Loading