- changed status to resolved
Bump json-smart to 2.4.2 for 8.x
Issue #416
resolved
Hi guys,
This is a mirrored issue to https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/357/bump-json-smart-to-242-for-8x in order to handle the same problem.
The vulnerability in json-smart was fixed by a maintainer - I think it’s good idea to backport the bump of the library to 8.x branch as well (because spring-security, for example, uses 8.x branch).
Br.
Vladimir
Comments (1)
-
- Log in to comment
Bumped JSON Smart on the 8.x
Note that the CVE had been fixed in 2019 / 7.9, so Spring Security has been safe from CVE-2021-27568 since then.
https://connect2id.com/blog/nimbus-jose-jwt-7-9