Recently, when running the OWASP Dependency-Check tool on my project, jackson-core-2.16.0.jar was flagged with CVE-2023-5072. However, I couldn't find much recent information about this CVE other than a GitHub issue related to JSON-Java (
https://github.com/jeremylong/DependencyCheck/issues/5991).
For jackson-core-2.16.0.jar, the dependency information is as follows:
cpe:2.3:a:fasterxml:jackson-modules-java8:2.16.0:*:*:*:*:*:*:*
cpe:2.3:a:json-java_project:json-java:2.16.0:*:*:*:*:*:*:*
pkg:maven/com.fasterxml.jackson.core/jackso...@2.16.0
Does anybody have more information about whether this is truely affected by CVE-2023-5072 or is a false positive? Any updates or insights would be greatly appreciated.
Thank you.