Security vulnerability for Json-smart

Sagarika · October 14, 2021, 8:44pm

Hi,

As per NVD, the json-smart 2.2 version present in readonlyrest-1.34.0_es7.10.0.zip is vulnerable.

Vulnerability Links are as follows:

NVD - CVE-2021-27568

Please look into this.

coutoPL · October 15, 2021, 7:46pm

Thanks for the report. We will check it immediately

coutoPL · October 17, 2021, 11:42am

This is fixed in ROR 1.35.1

Sagarika · November 10, 2021, 7:16am

Can you please let me know which version of json smart you upgraded in ROR 1.35.1?

coutoPL · November 10, 2021, 8:05pm

it’s net.minidev:json-smart:2.4.7

Sagarika · November 11, 2021, 6:33am

There is a json-smart in ror-shadowed-libs-all.jar. Could you please let me which version of json smart you are using there?

coutoPL · November 11, 2021, 8:12am

the one I’ve mentioned above:

> ./gradlew clean ror-shadowed-libs:dependencies

> Task :ror-shadowed-libs:dependencies

------------------------------------------------------------
Project :ror-shadowed-libs
------------------------------------------------------------

annotationProcessor - Annotation processors and their dependencies for source set 'main'.
No dependencies

apiElements - API elements for main. (n)
No dependencies

archives - Configuration for archive artifacts.
No dependencies

compile - Dependencies for source set 'main' (deprecated, use 'implementation' instead).
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

compileClasspath - Compile classpath for source set 'main'.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

compileOnly - Compile only dependencies for source set 'main'.
No dependencies

default - Configuration for default artifacts.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

implementation - Implementation only dependencies for source set 'main'. (n)
No dependencies

runtime - Runtime dependencies for source set 'main' (deprecated, use 'runtimeOnly' instead).
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

runtimeClasspath - Runtime classpath of source set 'main'.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

runtimeElements - Elements of runtime for main. (n)
No dependencies

runtimeOnly - Runtime only dependencies for source set 'main'. (n)
No dependencies

shadow
No dependencies

shadowCompile
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

testAnnotationProcessor - Annotation processors and their dependencies for source set 'test'.
No dependencies

testCompile - Dependencies for source set 'test' (deprecated, use 'testImplementation' instead).
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

testCompileClasspath - Compile classpath for source set 'test'.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

testCompileOnly - Compile only dependencies for source set 'test'.
No dependencies

testImplementation - Implementation only dependencies for source set 'test'. (n)
No dependencies

testRuntime - Runtime dependencies for source set 'test' (deprecated, use 'testRuntimeOnly' instead).
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

testRuntimeClasspath - Runtime classpath of source set 'test'.
+--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.12.4
|    +--- com.fasterxml.jackson.core:jackson-databind:2.12.4
|    |    +--- com.fasterxml.jackson.core:jackson-annotations:2.12.4
|    |    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
|    +--- org.yaml:snakeyaml:1.27 -> 1.29
|    \--- com.fasterxml.jackson.core:jackson-core:2.12.4
+--- com.fasterxml.jackson.core:jackson-databind:2.12.4 (*)
+--- org.yaml:snakeyaml:1.29
\--- com.jayway.jsonpath:json-path:2.6.0
     +--- net.minidev:json-smart:2.4.7
     |    \--- net.minidev:accessors-smart:2.4.7
     |         \--- org.ow2.asm:asm:9.1
     \--- org.slf4j:slf4j-api:1.7.30

testRuntimeOnly - Runtime only dependencies for source set 'test'. (n)
No dependencies

(*) - dependencies omitted (listed previously)

A web-based, searchable dependency report is available by adding the --scan option.

Deprecated Gradle features were used in this build, making it incompatible with Gradle 5.0.
Use '--warning-mode all' to show the individual deprecation warnings.
See https://docs.gradle.org/4.10.2/userguide/command_line_interface.html#sec:command_line_warnings