1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-JOSE-JWT
  4. Issues

Consider updating 8.20.x to json-smart 2.3.1

Issue #422 resolved
Former user created an issue

Other tickets mention that Nimbus does not use json-smart in the way described in CVE-2021-27568, however various tools report that nimbus-jose-jwt is vulernable since it depends on json-smart 2.3.

It may set minds at ease if an 8.20.x were released that took the json-smart 2.3.1 dependency update.

The reason for that particular version is because Spring Boot 2.4.x releases on that version and maintains a policy of only taking patch releases inside of their own patch releases. Releasing a dependency update in 8.20.3 would allow Spring Boot 2.4.7 to take up the new dependency.

Comments (2)

  1. Vladimir Dzhuvinov

    Please check out the latest version 8.22 (2021-06-05) which backports a few other fixes.

    It has 

            <dependency>
            <groupId>net.minidev</groupId>
            <artifactId>json-smart</artifactId>
            <version>[1.3.3,2.4.7]</version>
        </dependency>

    The x.x version numbering was bumped because the fixes had to introduce new classes / API methods.

    Otherwise the API is compatible to 8.20.x.

  3. Log in to comment
Assignee
Type
enhancement
Priority
minor
Status
resolved
Component
JOSE Core
Milestone
Votes
1
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!