Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

json-patch-1.13.jar: CVE-2021-4279(9.8) #144

Open
dmitry-weirdo opened this issue Jan 5, 2023 · 1 comment
Open

json-patch-1.13.jar: CVE-2021-4279(9.8) #144

dmitry-weirdo opened this issue Jan 5, 2023 · 1 comment

Comments

@dmitry-weirdo
Copy link

dmitry-weirdo commented Jan 5, 2023
edited
Loading

The dependency check is now failing on json-patch:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.4.3:check (default-cli) on project ins-app: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] json-patch-1.13.jar: CVE-2021-4279(9.8)

CVE is https://nvd.nist.gov/vuln/detail/CVE-2021-4279

The fix PR is probably here (Starcounter-Jack/JSON-Patch@7ad6af4). But it is another repository?

Although this library version is pretty old, I found this CVE as a dependency of io.swagger.parser.v3:swagger-parser:jar:2.1.7, see swagger-api/swagger-parser#1867.
@swiss-chris
Copy link

swiss-chris commented Jan 12, 2023
edited
Loading

looks to me like an error in the dependency check. The vulnerability is in a different repo, as you said. See also here jeremylong/DependencyCheck#5212

@BartekGravity BartekGravity mentioned this issue Jun 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@swiss-chris @dmitry-weirdo