[GHSA-493p-pfq6-5258] json-smart Uncontrolled Recursion vulnerability#8697
Conversation
|
Hi there @oswaldobapvicjr! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
Hi GitHub Security Team! I would appreciate it if the curation team could approve this improvement and officially withdraw/retract the global advisory to prevent further false positives for the community. Additionally, could you please guide me on how I can completely withdraw or remove this advisory from my specific repository's Security tab as well? I currently do not see an option to delete or withdraw it from my end. Thank you for your help! |
Updates
Comments
Request: Withdraw Security Advisory (Published in Error)
Reason for Request:
This advisory (GHSA-493p-pfq6-5258) was originally published on my repository (
oswaldobapvicjr/jsonmerge) by me in error, and I would like to request its withdrawal. It should have been reported undernetplex/json-smart-v2which is the correct repository as described in the Advisory details and the underlying CVE.Technical Context:
net.minidev:json-smart.oswaldobapvicjr/jsonmerge, this dependency is explicitly marked as<optional>true</optional>in the Maven POM.jsonmergeis a provider-agnostic utility library, it does not package, bundle, or transitively forcejson-smartonto consuming applications.jsonmergeis causing false positives for downstream consumers who do not even pull in the affectedjson-smartpackage.As the repository owner and the publisher of this advisory, I kindly request the GitHub Curation Team to withdraw this GHSA from my repository
oswaldobapvicjr/jsonmerge