Upgrade to json-path 2.10.0 because of CVE-2024-57699 in json-smart

[mspoerer]

Please update json-path to version 2.10.0 as json-smart is a direct dependency.

Description
A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ?{?, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of an incomplete fix for CVE-2023-1370.

[bclozel]

@mspoerer Can you share why you think we should upgrade to 2.10.0? Did this release fix another CVE?

The CVE you are sharing here are pointing to older fix versions:

• CVE-2023-1370 is fixed in 2.4.9
• CVE-2024-57699 is fixed in 2.5.2

spring-graphql-test depends on 2.9.0. Please elaborate and share public links.

[bclozel]

Also: I'm not seeing specific changes in https://github.com/json-path/JsonPath/releases/tag/json-path-2.10.0, only dependency upgrades. Am I missing a CVE fix somewhere?

[mspoerer]

@bclozel Its part of the following commit "Bumps dependency versions"
Please have a look at json-path/JsonPath@8e3b92f

[bclozel]

@mspoerer ah thanks, I missed that it was a transitive dependency and that it was upgraded in bulk. We'll upgrade and backport, then.