Version
5.5.0
What happened?
In a customer project, we use a library that in turn uses jena-shex and jena-arq both in version 5.5.0. The latter depends on org.glassfish jakarta.json version 2.0.1
|
<ver.jakarta.json>2.0.1</ver.jakarta.json> |
This in turn contains
https://github.com/jakartaee/jsonp-api/blob/2.0.1-RELEASE/impl/src/main/java/org/glassfish/json/JsonNumberImpl.java, which, according to a mandatory scanning tool, is affected by
https://www.cve.org/CVERecord?id=CVE-2023-4043.
Would it be possible to upgrade to a more recent implementation, e.g. org.eclipse.parsson?
(This also affects version 5.6.0)
Relevant output and stacktrace
Are you interested in making a pull request?
None
Version
5.5.0
What happened?
In a customer project, we use a library that in turn uses
jena-shexandjena-arqboth in version 5.5.0. The latter depends on org.glassfish jakarta.json version 2.0.1jena/pom.xml
Line 67 in e325baa
This in turn contains https://github.com/jakartaee/jsonp-api/blob/2.0.1-RELEASE/impl/src/main/java/org/glassfish/json/JsonNumberImpl.java, which, according to a mandatory scanning tool, is affected by https://www.cve.org/CVERecord?id=CVE-2023-4043.
Would it be possible to upgrade to a more recent implementation, e.g. org.eclipse.parsson?
(This also affects version 5.6.0)
Relevant output and stacktrace
Are you interested in making a pull request?
None