Dependency on the vulnerable org.json:json:20220320

[alok1111]

CVE-2023-5072
CVE-2022-45688

Expected Behavior

No dependencies with vulnerabilities

Current Behavior

2 High vulnerabilities

Possible Solution

Update org.json:json to the recent version

[alok1111]

Hello Team, can you please provide your thoughts about the issue? Is it safe to run the client in production? Do you have plans to update the dependency?

[alok1111]

Also, I noticed that you already have a PR that addresses one of the vulnerabilities, but you didn't merge it, provide any response or fix the issue yourself. Why?

[izaaz]

@alok1111 thanks for creating this ticket. I am taking a look at this and will update soon.

[alok1111]

@izaaz is there any news?

[izaaz]

@alok1111 the patch was just released in version 1.12.1

[izaaz]

Correction. The package has been deployed to a staging env. I'll update this issue once it's generally available.

[alok1111]

@izaaz thank you for the update.
1.21.1 fixes only one vulnerability - CVE-2022-45688. Would please fix also CVE-2023-5072? To do that you need to upgrade org.json:json at least to 20231013.
Also noticed that the org.json:json versions are out of sync between demo, main and test. So probably the project tests run on a wrong version.

[izaaz]

Thanks @alok1111. All packages are updated and use the version 20231013. The latest version 1.12.2 is now available.