Lucene search

K
githubGitHub Advisory DatabaseGHSA-5X5Q-8CGM-2HJQ
HistoryMar 31, 2023 - 10:44 p.m.

Karate has vulnerable dependency on json-smart package (CVE-2023-1370)

2023-03-3122:44:09
CWE-674
GitHub Advisory Database
github.com
34
karate
vulnerable dependency
json-smart
cve-2023-1370
upgrade
json-path
package

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.2%

Summary

Karate has vulnerable dependency on the package net.minidev:json-smart. More information is available at https://github.com/oswaldobapvicjr/jsonmerge/security/advisories/GHSA-493p-pfq6-5258.

image

How to fix it

Very simple, just upgrade json-path package to 2.8.0 (from 2.7.0) inside karate-core pom.xml ;)

Affected configurations

Vulners
Node
com.intuit.karate\karateMatchcore1.3.1
CPENameOperatorVersion
com.intuit.karate:karate-coreeq1.3.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.2%