fix CVE-2024-57699 for predefined parsers

[ccudennec-otto]

fixes #232

Hi @UrielCh!

This is my first PR in your project. I hope it helps to fix the new CVE. I hope that I took the right approach.

Cheers,

Christopher

[norrisjeremy]

Is there a reason for all the whitespace changes?
It makes this PR harder to review.

[ccudennec-otto]

Is there a reason for all the whitespace changes?
It makes this PR harder to review.

@norrisjeremy
Agreed! I've reverted the whitespace changes - those got added by my IDE and I missed to double-check the diffs.

[hezhangjian]

I think it's reason to default security, WDYT @UrielCh

[UrielCh]

the changelog is up to date, nice.

[UrielCh]

so the change is that LIMIT_JSON_DEPTH was not enabled by default ?

[cricstats]

When will the new 2.5.2 release be available in the maven repo ?

[ccudennec-otto]

Hi @UrielCh and thanks for merging! 🌻

so the change is that LIMIT_JSON_DEPTH was not enabled by default ?

Yes, exactly. Now we're defaulting to security to quote @hezhangjian 🙂

Everyone who creates their own parser instead of using the default MODE constants still needs to enable the option, though.

When will the new 2.5.2 release be available in the maven repo ?

A new release would be highly appreciated by the Spring Security world. 😄

[ccudennec-otto]

I think this comments is also helpful (taken from https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/494/json-smart-and-cve-2024-57699-configure)

All JSON parsing in the OIDC SDK is done in JSONUtils. The CVE fix can be applied here, independently of the upstream fix.

That means:

• com.nimbusds:oauth2-oidc-sdk is able to fix this issue on their side without waiting for a new release of json-smart; they've released version 11.22.1 that fixes the issue.
• if you manage the JSONParser in your project, you can / must take care of enabling the option yourself

[UrielCh]

I’ve submitted a request to migrate my access to the new central.sonatype.com and am awaiting validation from support.

[cricstats]

I’ve submitted a request to migrate my access to the new central.sonatype.com and am awaiting validation from support.

Thank you we are eagerly awaiting the release for this .

[airvine-r7]

Likewise, awaiting this release ASAP.

[yeikel]

Submitted github/advisory-database#5257 to document the fix in GH Advisory database

[airvine-r7]

Any update on this? @UrielCh

[UrielCh]

Last update 22h ago, sould get next update in 2hours

[cbertoldi]

I have a question: it seems that the version 2.5.2 is now available, but the older versions disappeared from the metadata XML file:
the file https://repo.maven.apache.org/maven2/net/minidev/json-smart/maven-metadata.xml contains the following:
net.minidev json-smart 2.5.2 2.5.2 2.5.2 20250212044256

no older versions are present, but if you check a mirror that probably has not been updated yet https://maven-central-eu.storage-download.googleapis.com/maven2/net/minidev/json-smart/maven-metadata.xml
it contains many older versions except the latest one: net.minidev json-smart 2.5.1 2.5.1 1.0.6.3 1.0.8 1.0.9 1.0.9-1 1.1 1.1.1 1.2 1.3 1.3.1 1.3.2 1.3.3 2.0-RC1 2.0-RC2 2.0-RC3 2.0 2.1.0 2.1.1 2.2 2.2.1 2.3 2.3.1 2.4.1 2.4.2 2.4.4 2.4.5 2.4.6 2.4.7 2.4.8 2.4.9 2.4.10 2.4.11 2.5.0 2.5.1 20240321051508

Has the 2.5.2 version been released in a different way than usual?

This change broke the mvn dependency:go-offline behaviour:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-dependency-plugin:3.8.1:go-offline (default-cli) on project slorder-mod-security: org.eclipse.aether.resolution.DependencyResolutionException: Failed to collect dependencies at org.springframework.boot:spring-boot-starter-oauth2-client:jar:3.4.2 -> org.springframework.security:spring-security-oauth2-client:jar:6.4.2 -> com.nimbusds:oauth2-oidc-sdk:jar:9.43.4 -> net.minidev:json-smart:jar:[1.3.3,2.4.10]: No versions available for net.minidev:json-smart:jar:[1.3.3,2.4.10] within specified range

[marcelstoer]

See #240

[martinwunderlich-celonis]

Does this fix also resolve the CVE GHSA-pq2g-wx69-c263 ? If not, any plans to include that in a future update?

[ArloL]

If you look on the right hand side of GHSA-pq2g-wx69-c263 you'll see the CVE ID CVE-2024-57699 . So yes it's the same finding :)

[marcelstoer]

GHSA-pq2g-wx69-c263 references this issue. It also says

Patched versions 2.5.2

[dadoonet]

Weird. It seems that on my end 2.5.2 is still marked as containing CVE-2024-57699:

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (audit-dependencies) on project fscrawler-framework: Detected 1 vulnerable components:
Error:    net.minidev:json-smart:jar:2.5.2:runtime; https://ossindex.sonatype.org/component/pkg:maven/net.minidev/json-smart@2.5.2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2024-57699] CWE-674: Uncontrolled Recursion (8.7); https://ossindex.sonatype.org/vulnerability/CVE-2024-57699?component-type=maven&component-name=net.minidev%2Fjson-smart&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

May be it's a "bug" on sonatype side? https://ossindex.sonatype.org/vulnerability/CVE-2024-57699

UPDATE: I opened: sonatype/ossindex-maven#84

[JoergSiebahn]

fyi, I added a PR for the PoC that is referenced in https://ossindex.sonatype.org/vulnerability/CVE-2024-57699 which uses 2.5.2 and does not fail with exit code 1.

[yeikel]

Weird. It seems that on my end 2.5.2 is still marked as containing CVE-2024-57699:

Error:  Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit (audit-dependencies) on project fscrawler-framework: Detected 1 vulnerable components:
Error:    net.minidev:json-smart:jar:2.5.2:runtime; https://ossindex.sonatype.org/component/pkg:maven/net.minidev/json-smart@2.5.2?utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
Error:      * [CVE-2024-57699] CWE-674: Uncontrolled Recursion (8.7); https://ossindex.sonatype.org/vulnerability/CVE-2024-57699?component-type=maven&component-name=net.minidev%2Fjson-smart&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1

May be it's a "bug" on sonatype side? https://ossindex.sonatype.org/vulnerability/CVE-2024-57699

UPDATE: I opened: sonatype/ossindex-maven#84

This is because sonatype uses its own CVE database. We need to report to them individually that there is a known version that is not vulnerable