CVE-2022-47937 — Apache Sling Commons JSON bundle vulnerable to Improper Input Validation

描述

Improper input validation in the Apache Sling Commons JSON bundle allows an attacker to trigger unexpected errors by supplying specially-crafted input. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. The org.apache.sling.commons.json bundle has been deprecated as of March 2017 and should not be used anymore. Consumers are encouraged to consider the Apache Sling Commons Johnzon OSGi bundle provided by the Apache Sling project, but may of course use other JSON libraries.

如何修補 CVE-2022-47937

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

—未列出修補版本

CVE-2022-47937 正在被利用嗎?

低 — EPSS 為 1.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, <= 2.0.20

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-47937
WEBgithub.com/apache/sling-org-apache-sling-commons-johnzon
WEBissues.apache.org/jira/browse/SLING-6536
WEBlists.apache.org/thread/sws7z50x47gv0c38q4kx6ktqrvrrg1pm
WEB