CVE-2022-45688 PoC — Hutool 缓冲区错误漏洞

Source

Associated Vulnerability

Description

simple application with a (unreachable!) CVE-2022-45688 vulnerability

Readme

## json.org CVE-2022-45688 false positive

The project contains a [json.org](https://mvnrepository.com/artifact/org.json/json/20220924) dependency with [CVE-2022-45688](https://nvd.nist.gov/vuln/detail/CVE-2022-45688) but does __not__ invoke the vulnerable class.
The vulnerability can therefore not be exploited for a DoS attack.

Metadata-based software composition analyses will produce a false positive, while
callgraph-based analyses will not flag this application as vulnerable. 

### Running Software Composition Analyses

There are several sh scripts to run different analyses, result resports can be found in `scan-results`.

### Generating the SBOM

The `pom.xml` has a plugin to generate a [SBOM](https://www.cisa.gov/sbom) in [CycloneDX](https://cyclonedx.org/) format. 
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in 
`target/` in `json` and `xml` format.

File Snapshot

 [4.0K]  /data/pocs/aaf5aec9088bf5484977c903b57cfacdaf66253a
├── [ 11K]  LICENSE
├── [2.7K]  pom.xml
├── [ 896]  README.md
├── [ 452]  run-owasp.sh
├── [ 261]  run-snyk.sh
├── [4.0K]  scan-results
│   ├── [4.0K]  dependency-check
│   │   └── [ 13K]  dependency-check-report.json
│   └── [4.0K]  snyk
│       └── [ 11K]  snyk-report.json
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  scabench
                └── [ 376]  JSONPrettyPrinter.java

7 directories, 8 files

Remarks