CVE-2022-47937: 
Java vulnerability analysis and mitigation

The Apache Sling Commons JSON bundle contains an improper input validation vulnerability (CVE-2022-47937) that allows attackers to trigger unexpected errors by supplying specially-crafted input. The vulnerability affects all versions through 2.0.20. Notably, this vulnerability only impacts a deprecated component, as the org.apache.sling.commons.json bundle has been officially deprecated since March 2017 (Sling Issue, OSS Security).

The vulnerability is classified as an improper input validation issue (CWE-20) with a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue was discovered by security researcher BIngDiAn and affects the parsing functionality within the Apache Sling Commons JSON module (NVD).

When exploited, the vulnerability allows attackers to trigger unexpected errors in systems using the affected Commons JSON bundle. Given the CVSS score of 9.8, this indicates potential severe impacts on system confidentiality, integrity, and availability (NVD).

Users are strongly encouraged to migrate away from the deprecated org.apache.sling.commons.json bundle. The recommended migration path is to use the Apache Sling Commons Johnzon OSGi bundle provided by the Apache Sling project, though users may also consider other JSON libraries as alternatives (OSS Security).