CVE-2022-47937

Name of the Vulnerable Software and Affected Versions Apache Sling Commons JSON bundle (affected versions not specified)

Description The issue is related to improper input validation, allowing an attacker to trigger unexpected errors by supplying specially-crafted input. The org.apache.sling.commons.json bundle has been deprecated as of March 2017 and should not be used anymore. Consumers are encouraged to consider the Apache Sling Commons Johnzon OSGi bundle provided by the Apache Sling project, or use other JSON libraries.

Recommendations As a temporary workaround, consider disabling the use of the org.apache.sling.commons.json bundle until a suitable replacement is implemented. Consider using the Apache Sling Commons Johnzon OSGi bundle provided by the Apache Sling project as a replacement for the deprecated bundle. Restrict the use of the org.apache.sling.commons.json bundle to minimize the risk of exploitation, and plan to migrate to a supported JSON library.