Json-smart critical vulnerability - CVE-2021-27568
Issue #411
invalid
Hi guys,
There is relatively fresh finding in your dependency - json-smart. Doesn’t look like they will fix it soon, maybe there is something we can do about to avoid the issue? This also related to com.nimbusds:oauth2-oidc-sdk
Open issue in json-smart-2 - https://github.com/netplex/json-smart-v2/issues/62
CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-27568
Comments (3)
-
-
- changed status to invalid
The bug was known prior to the CVE and there's been a fix since 2019. It might have come up in a security audit.
Added an extra test here: fab8c51
-
reporter Thank you for the reply, @Vladimir Dzhuvinov
Nice to hear that the issue is not actual for the library.
- Log in to comment
Hi there,
There issue with the OAuth SDK has been fixed in
9.2.2
https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/347/jsonutilparse-string-catch-unexpected
I’ll check the situation here.