Details
-
Fix
-
Status: Dismissed (View Workflow)
-
Minor
-
Resolution: Won't Fix
-
2.7.3
-
None
-
None
-
CVE-2023-7272
Description
Current Situation
- JS7 JOC Cockpit and Agent ship with the 3rd party library javax.json 1.1.4 from glassfish
- this version is flagged with a vulnerability assigned to eclipse parsson before 1.0.4 and 1.1.3
- for information about the CVE, see https://nvd.nist.gov/vuln/detail/cve-2023-7272
- JS7 JOC Cockpit also ships with eclipse parsson, through other 3rd parties dependencies, but with the already fixed version 1.1.5
Findings
- it looks like glassfish javax.json and eclipse parsson both contain code, developed on the same basis
- the binaries of both projects are different
- we compared javax.json 1.1.4 binary files to
- a vulnerable parsson version 1.1.2
- a fixed parsson version 1.1.5
- as binary files of classes with the same name are different in size and make use of differently named packages, the implemenation seem to be quite different between both projects
- we compared javax.json 1.1.4 binary files to
As both projects produce different binaries based on their own code, we rate this as a false positive.