CVE-2023-5072 jackson-core-2.16.0

[leducquan]

Recently, when running the OWASP Dependency-Check tool on my project,  jackson-core-2.16.0.jar was flagged with CVE-2023-5072. However, I couldn't find much recent information about this CVE other than a GitHub issue related to JSON-Java (https://github.com/jeremylong/DependencyCheck/issues/5991).

For jackson-core-2.16.0.jar, the dependency information is as follows:
cpe:2.3:a:fasterxml:jackson-modules-java8:2.16.0:*:*:*:*:*:*:*
cpe:2.3:a:json-java_project:json-java:2.16.0:*:*:*:*:*:*:*
pkg:maven/com.fasterxml.jackson.core/jackso...@2.16.0

Does anybody have more information about whether this is truely affected by CVE-2023-5072 or is a false positive? Any updates or insights would be greatly appreciated.

Thank you.

[Tatu Saloranta]

As per my note on the Github issue that you also filed, no, this does
not related to Jackson.
Case of false positive (bad metadata).

-+ Tatu +-

> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/5295a0e6-faf8-421b-b4ec-820fa0c7b018n%40googlegroups.com.