Consider updating net.minidev:json-smart to 2.5.2 to address CVE-2024-57699

[hvub]

Consider updating net.minidev:json-smart to 2.5.2 to address CVE-2024-57699:

• GHSA-pq2g-wx69-c263
• https://nvd.nist.gov/vuln/detail/CVE-2024-57699

JsonPath/build.gradle

Line 15 in 45333e0

jsonSmart : 'net.minidev:json-smart:2.5.1',

-Thanks.

[lrozenblyum]

IMHO it's not enough
The instances of JSONParser created inside json-path should be protected in the way similar to https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/494/json-smart-and-cve-2024-57699-configure

(e.g. https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/commits/815730fc8c3739d3f3474d1b60bd5b3eda8a49b6)

[lrozenblyum]

According to #1030 (comment) it's enough to bump a new version. So #1030 should handle current issue

[ronlangeveld]

Given the fact that json-path is a managed dependency with spring-boot-starter-parent many projects now are dealing with it with tempory fixes. Since the bump is just trivial I guess most people wouldn't mind a minor bump to 2.9.1 in the short term. Don't give Spring an excuse to start looking for alternate libraries ;)

[afiller]

Any updates on this topic? We are also waiting for an update.

[dyrnq]

stare

[kivan-mih]

Guys, please do the fix, temporary solutions due to this in the code, which is not good