plaid-java icon indicating copy to clipboard operation
plaid-java copied to clipboard
verified publisher icon plaid

org.json:json transitive dependency has security vulnerabilities

Open lukewpatterson opened this issue 2 years ago • 2 comments

From mvn dependency:tree

[INFO] +- com.plaid:plaid-java:jar:17.0.0:compile
[INFO] |  +- org.apache.oltu.oauth2:org.apache.oltu.oauth2.client:jar:1.0.1:compile
[INFO] |  |  +- org.apache.oltu.oauth2:org.apache.oltu.oauth2.common:jar:1.0.1:compile
[INFO] |  |  |  +- org.json:json:jar:20140107:compile

My build report is showing these vulnerabilities:

  • https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-2841369
  • https://nvd.nist.gov/vuln/detail/CVE-2022-45688
  • https://nvd.nist.gov/vuln/detail/CVE-2023-5072

org.json:json release notes

They just released org.json:json:20231013, which I think fixes all the vulnerabilities.

Not sure if related to https://github.com/plaid/plaid-java/issues/283, is the intermediate dependency not even needed anyways?

lukewpatterson avatar Oct 17 '23 02:10 lukewpatterson

+1 on this ticket. This is getting flagged for vulnerabilities on our side as well and and is affecting our SLAs for resolving vulnerabilities.

appurvj avatar Oct 19 '23 18:10 appurvj

Screenshot 2024-05-24 at 10 34 35 PM

Noticed this too. I resolved it with:

implementation("com.plaid:plaid-java:23.0.0") {
        exclude(group = "org.json", module = "json")
}

implementation("org.json:json:20240303")

Though, looking at maven, there is a single vulnerability still. Better than 7

violabs-josh avatar May 25 '24 03:05 violabs-josh