Vulnerabilities in the last version json-20240303.jar UNRESOLVED

[peterpilgrim]

Hello there.

Perhaps, someone already reported this since March 2024
Are you aware thatNIST NVD is reporting vulnerabilities in the last release version of JSON ?

Namely, most are suppressing JSON JAR

<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
  <suppress until="2025-03-23">
  
   <! --... -->

    <cve>CVE-2022-45688</cve>  <!-- json-20240303.jar  UNRESOLVED -->
    <cve>CVE-2023-5072</cve>   <!-- json-20240303.jar  UNRESOLVED -->

   <! --... -->
  </suppress>
</suppressions>

[johnjaylward]

both of those CVE have been fixed (#720 and #772). Both fixes are merged and in the latest release. Seems like whatever tool you are using is flagging the library incorrectly

[johnjaylward]

to be 100% clear, NVD is reporting these as fixed:

• https://nvd.nist.gov/vuln/detail/CVE-2023-5072 => fixed after 20230618
• https://nvd.nist.gov/vuln/detail/CVE-2022-45688 => fixed in 20230227

[stleary]

Closing due to all known vulnerabilities addressed as of v20241224