[GHSA-wwcp-26wc-3fxm] JSON-lib mishandles an unbalanced comment string

[kmoens]

Updates

• Affected products
• CVSS v3

Comments
The library was moved towards GitHub and changed its artifact name:

• https://sourceforge.net/projects/json-lib/ mentions "Development of this library has been moved to https://github.com/kordamp/json-lib/"
• Old commit history refers to the old package id: https://github.com/kordamp/json-lib/blob/35a1f2aa22bac260438c0cf2399549311b5a21aa/pom.xml

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the GHSA advisory for JSON-lib to reflect revised scoring/metadata and to capture legacy Maven coordinates after the project’s move/rename.

Changes:

• Updated advisory metadata (modified timestamp) and adjusted severity entries (removed CVSS v3, kept CVSS v4).
• Added an additional affected package entry for the legacy Maven artifact net.sf.json-lib:json-lib with an affected range through 2.4.

Comments suppressed due to low confidence (1)

advisories/github-reviewed/2024/10/GHSA-wwcp-26wc-3fxm/GHSA-wwcp-26wc-3fxm.json:15

• The PR description says “Updates … CVSS v3”, but this change removes the CVSS_V3 entry entirely rather than updating it. Either re-add/update the CVSS v3 vector/score in severity, or update the PR description to match the intended outcome.

  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
    }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The details text states “before 3.1.0”, but this PR also adds a separate affected coordinate capped at last_affected: 2.4 (net.sf.json-lib:json-lib). To avoid ambiguity for consumers, consider clarifying details (or adding a short note) that distinguishes the legacy Maven coordinates (affected through 2.4) from the post-move artifact line where the 3.1.0 boundary applies.

Suggested change

	"details": "util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string.",
	"details": "util/JSONTokener.java in JSON-lib mishandles an unbalanced comment string. For the post-move Maven artifact org.kordamp.json:json-lib-core, versions before 3.1.0 are affected; for the legacy Maven coordinate net.sf.json-lib:json-lib, versions through 2.4 are affected.",

[advisory-database]

Hi @kmoens! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!