Fix CVE-2024-57699 for json-smart

[ukumar009]

Fixed CVE-2024-57699 for json-smart

For more information: https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699
Changelog: https://github.com/netplex/json-smart-v2

[ukumar009]

Created an issue: #1031

[precoder]

This is also interesting for us, do you plan to make a bug fix release for the CVE ?

[precoder]

This is also interesting for us, do you plan to make a bug fix release for the CVE ?

[ukumar009]

@spperforce @ppatilperforce @hezhangjian could you please let me know when this fix will be released?

[RDarnel]

For visibility, my company is also anxious to see a patch release for this CVE. Are there any active maintainers still for this repo?

[ukumar009]

Hi @hezhangjian @spperforce @ppatilperforce @oswaldobapvicjr ,

can some one please let me know when can we merge this PR and when this will be released please.

Please let us know. Lot of developers in the community are eagerly waiting for this fix.

Thanks,

[hezhangjian]

@ukumar009 I am not maintainer of JsonPath...

[ukumar009]

Hi @kallestenflo,

I hope you are doing good buddy. Could you please consider this PR gets merged? This is a high severity CVE.
Could you please let us know when this will be released? Lot of developers in the community are eagerly waiting for the fix.

Thank you.

[santhoshg015]

Hi @kallestenflo, @jochenberger, @mgreenwood1001 and @greek1979,

#1030 (comment)

Could you please merge this PR soon? It fixes a high-severity CVE. #1030 (comment)

thanks!

[lrozenblyum]

Should also the instances of JSONParser created inside json-path be protected in the way similar to https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/494/json-smart-and-cve-2024-57699-configure

(e.g. https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/commits/815730fc8c3739d3f3474d1b60bd5b3eda8a49b6)
?

It seems that update itself is not enough to get the protection.
@julianladisch @precoder @hezhangjian @oswaldobapvicjr @spperforce @ppatilperforce

[julianladisch]

No.

jsonpath can be called with a parse mode:
https://github.com/json-path/JsonPath/blob/json-path-2.9.0/json-path/src/main/java/com/jayway/jsonpath/spi/json/JsonSmartJsonProvider.java#L42

json-smart ships with a few predefined parse modes:

• MODE_PERMISSIVE
• MODE_RFC4627
• MODE_JSON_SIMPLE
• MODE_STRICTEST
• DEFAULT_PERMISSIVE_MODE

All but the first can be affected of CVE-2024-57699.

json-smart 2.5.2 fixes CVE-2024-57699 for all predefined parse modes: https://github.com/netplex/json-smart-v2/pull/233/files

Therefore it's sufficient to bump the json-smart version to 2.5.2 to fix CVE-2024-57699 when predefined parsers (= predefined parse modes) are used.

In https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/commits/815730fc8c3739d3f3474d1b60bd5b3eda8a49b6 no predefined parse modes are used. Therefore they need to manually add the JSONParser.LIMIT_JSON_DEPTH configuration option to fix the issue.

To fully fix the issue for jsonpath we only need to bump the json-smart version to 2.5.2, this pull request is correct and complete.

[lrozenblyum]

Thanks for clarification @julianladisch! Then we'll bump json-smart to 2.5.2 in our code as well until json-path with this PR is released.

[jettdc]

Bump on this would be great to see this merged

Is this repo still maintained?