org.json:json transitive dependency has security vulnerabilities

[lukewpatterson]

From mvn dependency:tree

[INFO] +- com.plaid:plaid-java:jar:17.0.0:compile
[INFO] |  +- org.apache.oltu.oauth2:org.apache.oltu.oauth2.client:jar:1.0.1:compile
[INFO] |  |  +- org.apache.oltu.oauth2:org.apache.oltu.oauth2.common:jar:1.0.1:compile
[INFO] |  |  |  +- org.json:json:jar:20140107:compile

My build report is showing these vulnerabilities:

• https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-2841369
• https://nvd.nist.gov/vuln/detail/CVE-2022-45688
• https://nvd.nist.gov/vuln/detail/CVE-2023-5072

org.json:json release notes

They just released org.json:json:20231013, which I think fixes all the vulnerabilities.

Not sure if related to #283, is the intermediate dependency not even needed anyways?

[appurvj]

+1 on this ticket. This is getting flagged for vulnerabilities on our side as well and and is affecting our SLAs for resolving vulnerabilities.

[violabs-josh]

Noticed this too. I resolved it with:

implementation("com.plaid:plaid-java:23.0.0") {
        exclude(group = "org.json", module = "json")
}

implementation("org.json:json:20240303")

Though, looking at maven, there is a single vulnerability still. Better than 7