com.jayway.jsonpath:json-path is vulnerable to a buffer overflow per (CVE-2023-51074](https://www.cve.org/CVERecord?id=CVE-2023-51074).

We are using 2.7.18 and this is being flagged by our SCA tool.

Please upgrade json-path to 2.9.0.

https://github.com/json-path/JsonPath/issues/973

Thank you.

Comment From: wilkinsona

Thanks. We're aware of the CVE and considering what to do here. In the meantime, please be aware that:

  • Spring Boot 2.7.x is out of OSS support and the earliest generally available release in which an upgrade to json-path 2.9.0 could be made would be a 3.1.x release.
  • You can override the version in your build using the json-path.version property
  • The situations in which you may actually be vulnerable are quite limited. Some further investigation of the flag raised by your SCA tool may identify it as a false alarm.

Comment From: mike-lloyd03

Thank you @wilkinsona