Skip to content

update json-smart version#612

Merged
siddhijain merged 2 commits intodevfrom
SJAIN/update-json-dependency
Mar 27, 2023
Merged

update json-smart version#612
siddhijain merged 2 commits intodevfrom
SJAIN/update-json-dependency

Conversation

@siddhijain
Copy link
Contributor

@siddhijain siddhijain commented Mar 24, 2023
edited
Loading

Updated version due to a security vulnerability in 2.4.8.

@siddhijain siddhijain requested a review from bgavrilMS March 24, 2023 20:39
@jeanbisutti
Copy link

jeanbisutti commented Mar 27, 2023

Hi @bgavrilMS
I work on Java Application Insights. MSAL is a transitive dependency.
One of our users would like to know if CVE-2023-1370 is exploitable. Would MSAL use json-smart features potentially exposed to CVE-2023-1370? Thanks.

@jeanbisutti jeanbisutti mentioned this pull request Mar 27, 2023
Closed
@siddhijain
Updated json-smart version
bc99394 
Updated json-smart version to a 'bug-free' version
@siddhijain
Copy link
Contributor Author

siddhijain commented Mar 27, 2023

Hi @bgavrilMS I work on Java Application Insights. MSAL is a transitive dependency. One of our users would like to know if CVE-2023-1370 is exploitable. Would MSAL use json-smart features potentially exposed to CVE-2023-1370? Thanks.

@jeanbisutti Msal Java uses a class of net-minidev.json-smart to pass json objects to another library 'nimbus' for processing. From the way msal java uses json-smart, it does not look like it will be susceptible to the vulnerability. However, to be on the safer side, this PR updates the json-smart version to a secured version 2.4.10. Once merged, I will release a hotfix that you can consume in your application.   

@jeanbisutti
Copy link

jeanbisutti commented Mar 27, 2023

Thanks a lot @siddhijain!

@siddhijain siddhijain merged commit b1c75bd into dev Mar 27, 2023
@siddhijain siddhijain deleted the SJAIN/update-json-dependency branch April 17, 2023 16:25
@heyams heyams mentioned this pull request Apr 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgavrilMS bgavrilMS Awaiting requested review from bgavrilMS

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@siddhijain @jeanbisutti