CVE-2023-1370

[arvicloveria]

PRISMA Security scanner is reporting CVE-2023-1370 found in JAVA applicationinsights-runtime-attach-3.4.10.jar/applicationinsights-agent-3.4.10.jar.

Could someone please help to confirm if this is exploitable in the current agent?

[jeanbisutti]

Hi @arvicloveria,
json-smart is a transitive dependency. I have asked the question to MSAL library.

[arvicloveria]

Thank you @jeanbisutti. How soon will the fix be released? Any work-around for us to update the version of json-smart from my end? I tried upgrading the json-smart by implicitly declaring the 2.4.10 version in my pom.xml but 2.4.8 from the Java Agent still being loaded in our application.

[jeanbisutti]

@arvicloveria Application Insights does not seem to be affected by this vulnerability, see. It is not possible to override an agent dependency from your code. We have upgraded json-smart for this CVE and will do a release in the next days.

[arvicloveria]

Great! We'll wait on the new version then. Thank you, @jeanbisutti

[akundy]

When can we expect the new version roll out ? Any dates planned ??
@jeanbisutti