[BUILD-1098] Dismiss CVE concerning json-io Created: 20/Jun/23 Updated: 05/Jul/23 Resolved: 30/Jun/23 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | BOM 5.7.27, BOM 6.2.35 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Neutral |
| Reporter: | Federico Grilli | Assignee: | Federico Grilli |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Template: |
|
||||||||
| Acceptance criteria: |
Empty
|
||||||||
| Task DoR: |
Empty
|
||||||||
| Team: | |||||||||
| Work Started: | |||||||||
| Approved: |
Yes
|
||||||||
| Description |
[ERROR] json-io-4.14.0.jar: CVE-2023-34610(7.5) Awaiting analysis https://nvd.nist.gov/vuln/detail/CVE-2023-34610 Apparently only used by cache browser app in dx-core 6.2.x [INFO] | +- info.magnolia.cache:magnolia-cache-browser-app:jar:5.9.6:compile [INFO] | | \- com.cedarsoftware:json-io:jar:4.14.0:compile Magnolia is already at the latest json-io version at the moment of writing. Perhaps worth moving to gson there which seems to be more actively maintained? https://github.com/jdereg/json-io UpdateNo reaction from vendor after more than one month. According to https://github.com/jdereg/json-io/issues/169
Magnolia uses the potentially vulnerable API (JsonReader.jsonToJava) at https://git.magnolia-cms.com/projects/MODULES/repos/cache/browse/magnolia-cache-browser-app/src/main/java/info/magnolia/cache/browser/rest/endpoint/CacheEndpoint.java#219. Alternatively one could replace json-io with gson. |