json-patch-1.13.jar: CVE-2021-4279(9.8)

[dmitry-weirdo]

The dependency check is now failing on json-patch:

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:7.4.3:check (default-cli) on project ins-app: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0': 
[ERROR] 
[ERROR] json-patch-1.13.jar: CVE-2021-4279(9.8)

CVE is https://nvd.nist.gov/vuln/detail/CVE-2021-4279

The fix PR is probably here (Starcounter-Jack/JSON-Patch@7ad6af4). But it is another repository?

Although this library version is pretty old, I found this CVE as a dependency of io.swagger.parser.v3:swagger-parser:jar:2.1.7, see swagger-api/swagger-parser#1867.

[swiss-chris]

looks to me like an error in the dependency check. The vulnerability is in a different repo, as you said. See also here jeremylong/DependencyCheck#5212