As per my note on the Github issue that you also filed, no, this does not related to Jackson. Case of false positive (bad metadata).
-+ Tatu +- On Fri, May 3, 2024 at 10:46 AM leducquan <leducq...@gmail.com> wrote: > > Recently, when running the OWASP Dependency-Check tool on my project, > jackson-core-2.16.0.jar was flagged with CVE-2023-5072. However, I couldn't > find much recent information about this CVE other than a GitHub issue related > to JSON-Java (https://github.com/jeremylong/DependencyCheck/issues/5991). > > For jackson-core-2.16.0.jar, the dependency information is as follows: > cpe:2.3:a:fasterxml:jackson-modules-java8:2.16.0:*:*:*:*:*:*:* > cpe:2.3:a:json-java_project:json-java:2.16.0:*:*:*:*:*:*:* > pkg:maven/com.fasterxml.jackson.core/jackson-core@2.16.0 > > Does anybody have more information about whether this is truely affected by > CVE-2023-5072 or is a false positive? Any updates or insights would be > greatly appreciated. > > Thank you. > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jackson-user+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/5295a0e6-faf8-421b-b4ec-820fa0c7b018n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10jDnu8LrLXJBQOgwKqv9-XPwbfcio1Hyv%2BmhqKUbAYZTA%40mail.gmail.com.