json vulnerability(CVE-2022-45688) in ejbca 8.3.1

[bhr83]

I am using ejbca 8.3.1 with wildfly 26.1.3. In the trivy scan report
├──────────────────────────────────────────────────────────────┼────────────────┼──────────┤ ├───────────────────────┼─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ org.json:json (ejbca.ear) │ CVE-2022-45688 │ HIGH │ │ 20220924 │ 20230227 │ json stack overflow vulnerability │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-45688 │ │ ├────────────────┤ │ │ ├─────────────────────────────┼──────────────────────────────────────────────────────────────┤ │ │ CVE-2023-5072 │ │ │ │ 20231013 │ JSON-java: parser confusion leads to OOM │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5072
I can see json affected version 20220924. But I couldn’t find any JSON library in the EJBCA codebase, nor any reference to JSON in the WildFly pom.xml file.

[primetomas]

We haven't found any reference for CVE-2022-45688 either. There may be false positives, for example see jeremylong/DependencyCheck#5502