Lucene search

GitHub Advisory DatabaseGHSA-5X5Q-8CGM-2HJQ

HistoryMar 31, 2023 - 10:44 p.m.

Karate has vulnerable dependency on json-smart package (CVE-2023-1370)

2023-03-3122:44:09

CWE-674

GitHub Advisory Database

github.com

karate

vulnerable dependency

json-smart

cve-2023-1370

upgrade

json-path

package

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

43.3%

JSON

Summary

Karate has vulnerable dependency on the package net.minidev:json-smart. More information is available at https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258.

How to fix it

Very simple, just upgrade json-path package to 2.8.0 (from 2.7.0) inside karate-core pom.xml ;)

Affected configurations

Vulners

Node

com.intuit.karate\karateMatchcore1.3.1

CPENameOperatorVersion
com.intuit.karate:karate-coreeq1.3.1

CPE	Name	Operator	Version
	com.intuit.karate:karate-core	eq	1.3.1

References

github.com/advisories/GHSA-5x5q-8cgm-2hjq

github.com/karatelabs/karate/security/advisories/GHSA-5x5q-8cgm-2hjq

github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258

nvd.nist.gov/vuln/detail/CVE-2023-1370

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

43.3%

JSON

Related for GHSA-5X5Q-8CGM-2HJQ