Skip to content

[GHSA-wwcp-26wc-3fxm] JSON-lib mishandles an unbalanced comment string#7410

Open
kmoens wants to merge 1 commit intokmoens/advisory-improvement-7410from
kmoens-GHSA-wwcp-26wc-3fxm
Open

[GHSA-wwcp-26wc-3fxm] JSON-lib mishandles an unbalanced comment string#7410
kmoens wants to merge 1 commit intokmoens/advisory-improvement-7410from
kmoens-GHSA-wwcp-26wc-3fxm

Conversation

@kmoens
Copy link
Copy Markdown

@kmoens kmoens commented Apr 16, 2026

Updates

  • Affected products
  • CVSS v3

Comments
The library was moved towards GitHub and changed its artifact name:

Copilot AI review requested due to automatic review settings April 16, 2026 12:04
@github-actions github-actions bot changed the base branch from main to kmoens/advisory-improvement-7410 April 16, 2026 12:05
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the GHSA advisory for JSON-lib to reflect revised scoring/metadata and to capture legacy Maven coordinates after the project’s move/rename.

Changes:

  • Updated advisory metadata (modified timestamp) and adjusted severity entries (removed CVSS v3, kept CVSS v4).
  • Added an additional affected package entry for the legacy Maven artifact net.sf.json-lib:json-lib with an affected range through 2.4.
Comments suppressed due to low confidence (1)

advisories/github-reviewed/2024/10/GHSA-wwcp-26wc-3fxm/GHSA-wwcp-26wc-3fxm.json:15

  • The PR description says “Updates … CVSS v3”, but this change removes the CVSS_V3 entry entirely rather than updating it. Either re-add/update the CVSS v3 vector/score in severity, or update the PR description to match the intended outcome.
  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
    }

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread advisories/github-reviewed/2024/10/GHSA-wwcp-26wc-3fxm/GHSA-wwcp-26wc-3fxm.json
"CVE-2024-47855"
],
"summary": "JSON-lib mishandles an unbalanced comment string",
"details": "util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string.",
Copy link

Copilot AI Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The details text states “before 3.1.0”, but this PR also adds a separate affected coordinate capped at last_affected: 2.4 (net.sf.json-lib:json-lib). To avoid ambiguity for consumers, consider clarifying details (or adding a short note) that distinguishes the legacy Maven coordinates (affected through 2.4) from the post-move artifact line where the 3.1.0 boundary applies.

Suggested change
"details": "util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string.",
"details": "util/JSONTokener.java in JSON-lib mishandles an unbalanced comment string. For the post-move Maven artifact org.kordamp.json:json-lib-core, versions before 3.1.0 are affected; for the legacy Maven coordinate net.sf.json-lib:json-lib, versions through 2.4 are affected.",

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kmoens