cve漏洞修复一下叭

[shiker1996]

json有个高位漏洞，需要升级下版本：

1. 依赖项 maven:org.json:json:20160212 为 vulnerable

升级到 20231013

GHSA-4jq9-2xhw-jpx7，分数: 8

Summary
A denial of service vulnerability in JSON-Java was discovered by "ClusterFuzz" (https://google.github.io/clusterfuzz/).  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. There are two issues: (1) the parser bug can be used to circumvent a check that is supposed to prevent the key in a JSON object from itself being another JSON object; (2) if a key does end up being a JSON object then it gets converted into a string, using "\" to escape special characters, including "\" itself. So by nesting JSON objects, with a key that is a JSON object that has a key that is a JSON object, and so on, we can get an exponential number of "\" characters in the escaped string.


GHSA-3vqj-43w4-2q58，分数: 7.5

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 and org.json:json before version 20230227 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

阅读更多: https://osv.dev/vulnerability/GHSA-3vqj-43w4-2q58

2. 依赖项 maven:org.jetbrains.kotlin:kotlin-stdlib:1.5.32 为 vulnerable

升级到 1.6.0

GHSA-2qp4-g3q3-f92w，分数: 5.3

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

阅读更多: https://osv.dev/vulnerability/GHSA-2qp4-g3q3-f92w

[shiker1996]

https://github.com/upyun/java-sdk/pull/32