connect2id / Nimbus-JOSE-JWT / issues / #411 - Json-smart critical vulnerability - CVE-2021-27568 — Bitbucket

Issue #411 invalid

Vladimir Kryukov created an issue 2021-03-10

Hi guys,

There is relatively fresh finding in your dependency - json-smart. Doesn’t look like they will fix it soon, maybe there is something we can do about to avoid the issue? This also related to com.nimbusds:oauth2-oidc-sdk

Open issue in json-smart-2 - https://github.com/netplex/json-smart-v2/issues/62
CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-27568

Comments (3)

Vladimir Dzhuvinov
Hi there,

There issue with the OAuth SDK has been fixed in 9.2.2

https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/347/jsonutilparse-string-catch-unexpected

I’ll check the situation here.
- 2021-03-15T07:43:59+00:00
Vladimir Dzhuvinov
- changed status to invalid
The bug was known prior to the CVE and there's been a fix since 2019. It might have come up in a security audit.

Added an extra test here: fab8c51
- 2021-03-15T07:58:58+00:00
Vladimir Kryukov reporter
Thank you for the reply, @Vladimir Dzhuvinov

Nice to hear that the issue is not actual for the library.
- 2021-03-15T17:59:08+00:00
Log in to comment

Assignee: –

Type: bug

Priority: critical

Status: invalid

Component: JWT

Milestone: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!