Security scan tool (Black Duck Binary Analysis) detected CVE-2023-5072, is the latest version 1.5.4 really affected by this vulnerability?

[ChewuuHi]

Sorry to reach you again.
Currently we found another cve reported on json-java https://nvd.nist.gov/vuln/detail/CVE-2023-5072 , due to the license reference to json-java, our scan tool BDBA also reported this vulnn on jettison.
Would you help assess that if jettison is affected by the vulnn? According to their fix,The enhancement occurs on JSONObject.
stleary/JSON-java#758
stleary/JSON-java#771

Originally posted by @ChewuuHi in #77 (comment)

[LiuweiYao-SE]

I have the same problem.

[LiuweiYao-SE]

Can anyone answer that?

[pgrt]

Hi,

I am working on the packaging of jettison in Debian and we have the same question.

Considering the commits of json-java which solved CVE-2023-5072:
stleary/JSON-java@dbb1131 (20231013)
stleary/JSON-java@16967f3 (20231013)
stleary/JSON-java@661114c (20231013)

There are some tests therein that were added to detect wrong situations related to this vulnerability. For instance if one creates a JSONObject from the strings
"{{"foo": "bar"}: "baz"}", "{"a": 1, [{"foo": "bar"}]: "baz"}", "{foo}: 2}", or "{key1:value1, key2:42, 1.2 : 3.4, -7e5 : something!}",
then json-java ensures an exception is raised with the appropriate error message.

With version 1.5.4 of jettison I just found out that respectively, with these four strings:

• Exception in thread "main" org.codehaus.jettison.json.JSONException: Expected a key at character 2 of {{"foo": "bar"}: "baz"}
• Nothing special happens
• Exception in thread "main" org.codehaus.jettison.json.JSONException: Expected a ':' after a key at character 5 of {foo}: 2}
• Nothing special happens

I would tend to think that at least part of the problems in CVE-2023-5072 are not covered by jettison/1.5.4, but I would love to hear from you on this matter.

Best,

Pierre