The code in console.war is not actually a direct part of the ActiveMQ Artemis code-base. It is coming from Hawtio [1], specifically from the hawtio-system [2] module. Looking through the code in the hawtio-system module I don't see any use of any method named toJSONObject (i.e. the method mentioned in the CVE).
Therefore, I don't believe this CVE applies to ActiveMQ Artemis. In any case, I've sent a PR [3] to upgrade Hawtio to 2.17.6 which uses a newer dependency which should hopefully eliminate these spurious warnings from your scanner. Justin [1] https://github.com/hawtio/hawtio [2] https://github.com/hawtio/hawtio/blob/main/hawtio-system/pom.xml#L85 [3] https://github.com/apache/activemq-artemis/pull/4611 On Mon, Sep 11, 2023 at 10:00 AM Maia Khmaladze <maia.khmala...@globallogic.com.invalid> wrote: > Hi, > We are using Artemis Activemq 2.28.0 and our vulnerability scanner found > the following vulnerable library: > > - json-20171018.jar (in the console.war). Vulnerable according to > CVE-2022-45688 > > Could you please confirm/negate that Artemis Activemq 2.28.0 is NOT > affected by this vulnerability ? > > Thank you in advance, > Maia Khmaladze > > On Mon, Aug 7, 2023 at 3:00 PM Maia Khmaladze < > maia.khmala...@globallogic.com> wrote: > > > Hi, > > We are using Artemis Activemq 2.28.0 and our vulnerability scanner found > > the following vulnerable library: > > > > - json-20171018.jar (console.war). Vulnerable according to > > CVE-2022-45688 > > > > Could you please confirm/negate that Artemis Activemq 2.28.0 is NOT > > affected by this vulnerability ? > > > > Thank you in advance, > > Maia Khmaladze > > > > > > -- > > Maia Khmaladze > GlobalLogic > www.globallogic.com > <http://www.globallogic.com/> > http://www.globallogic.com/email_disclaimer.txt >