Fix CVE-2024-57699 for json-smart

[precoder]

Membrane has a dependecy to json-path which has also a transitive dependency to json-smart.
json-smart version used by the latest json-path has a CVE which can be used to create Denial of Service Attacks.

https://nvd.nist.gov/vuln/detail/CVE-2024-57699
CVSS v3 score is 7.5

This issue is already reported to json-path but seems like there wont be a fix in short time in the json-path library as I can understand from the discussion on this pull request:

json-path/JsonPath#1030

Would you consider updating json-smart version to 2.5.2 by explicitly defining it on the pom.xml for the core module?

[predic8]

@precoder thanks for reporting. We'll have a look at.

[rrayst]

@precoder thanks for reporting. We are currently taking a look at it.

First evaluation is that only installations are affected which use JSONPath in their configurations.

If

• <replace
• JSONPATH
• jsonPath
  does not occur in your proxies.xml*, you are NOT affected.

* and you do not use weird configurations like including other files and using one of the strings mentioned in the included files (which most people do not do).

[precoder]

Thank you very much for the evaluation, yes then it is not critical for us.
Some statical CVE analysers may create false alarms but it can wait until next release, there is no rush for update 👍