json-smart Uncontrolled Recursion vulnerabilty

[naman7kr]

./gradlew build in applicationInsights-Java release 3.4.12 code is downloading two jars of net.minidev:json-smart, one with version 2.4.8 and another with version 2.4.10. The version 2.4.8 is vulnerable. Affected versions of net.minidev:json-smart are vulnerable to Denial of Service (DoS) due to a StackOverflowError when parsing a deeply nested JSON array or object. I am able to catch the vulnerability in ACR security scan

[heyams]

We used 2.4.10, but there is a transitive dependency: json-smart -> com.microsoft.azure:msal4j:1.13.5 -> com.azure:azure-identity -> Java agent.
There was an upstream fix: AzureAD/microsoft-authentication-library-for-java#612, which has been merged. We just need to wait for their new release and update the dependency.

[heyams]

We will notify you whenever the update happens. @naman7kr

[heyams]

@naman7kr can you help me understand what you are trying to accomplish? we use 2.4.10 and it downloads the transient 2.4.8 when you try to build our agent locally, and it's just the gradle doing its thing.

 Please let us know if anything in our agent that doesn't meet you need so that you would need to customize it in certain way?

[naman7kr]

@heyams our security scan is showing application insights jar vulnerable due to 2.4.8 json-smart dependency. I am waiting for the fix to be released.

[heyams]

@naman7kr can you share where you get the application insights jar, maven central, git releases, or your local copy?
As I have confirmed previously, we don't use 2.4.10. #3029 will make sure 2.4.10 is overriding transitive dependency.

[naman7kr]

i am using 3.4.12 version of application insights, https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.4.12/applicationinsights-agent-3.4.12.jar

[trask]

hi @naman7kr, where are you seeing 2.4.8 in that jar file?

In the META-INF/licenses/more-licenses.md, I see

42 Group: net.minidev Name: json-smart Version: 2.4.10

• Project URL: https://urielch.github.io/
• Manifest License: Apache License, Version 2.0 (Not Packaged)
• POM License: Apache License, Version 2.0 - http://www.apache.org/licenses/LICENSE-2.0