Consider updating 8.20.x to json-smart 2.3.1
Issue #422
resolved
Other tickets mention that Nimbus does not use json-smart in the way described in CVE-2021-27568, however various tools report that nimbus-jose-jwt is vulernable since it depends on json-smart 2.3.
It may set minds at ease if an 8.20.x were released that took the json-smart 2.3.1 dependency update.
The reason for that particular version is because Spring Boot 2.4.x releases on that version and maintains a policy of only taking patch releases inside of their own patch releases. Releasing a dependency update in 8.20.3 would allow Spring Boot 2.4.7 to take up the new dependency.
Comments (2)
-
-
- changed status to resolved
Resolved
- Log in to comment
Please check out the latest
version 8.22 (2021-06-05)
which backports a few other fixes.It has
The x.x version numbering was bumped because the fixes had to introduce new classes / API methods.
Otherwise the API is compatible to 8.20.x.