Shaded version of json-smart 1.3.1 has critical vulnerability
See CVE-2021-27568 for a vulnerability affecting version 1.3.1 of json-smart. Since it is shaded there is no way to use nimbus-jose-jwt 9.x and not have this vulnerability.
Comments (8)
-
-
-
https://connect2id.com/blog/nimbus-jose-jwt-9
“Shades the net.minidev:json-smart:1.3.1 dependency.”
-
I’ve checked with both the 9.0.1 which we currently use and the latest version 9.16.1 and both state that you are using the “Shades the net.minidev:json-smart:1.3.1 dependency.” so which is it 1.3.1 version or
2.4.7
?I do see when I download the 9.16.1 jar and look it does say that it is using version 2.4.7. I would suggest that the this page https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/ be updated as it shows Shades the net.minidev:json-smart:1.3.1
-
I can confirm that when I do twistlock scan it is pulling in json-smart 1.3.1 on any version 9.x so it is still shading version 1.3.1, it’s not just a documentation error
-
The lib has been on the latest JSON Smart since 9.1.1:
version 9.9.1 (2021-05-04) * Bumps JSON Smart to 2.4.7.
The authoritative dependency source is the build file - pom.xml:
-
I’ve checked with both the 9.0.1 which we currently use and the latest version 9.16.1 and both state that you are using the “Shades the net.minidev:json-smart:1.3.1 dependency.” so which is it 1.3.1 version or
2.4.7
?I do see when I download the 9.16.1 jar and look it does say that it is using version 2.4.7. I would suggest that the this page https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/ be updated as it shows Shades the net.minidev:json-smart:1.3.1
This is from a commit message that appears for the
.gitignore
file at the time 9.0 was release, it is not part of the README doc. -
- changed status to invalid
- Log in to comment
Which release are your referring to? This looks some some old release of the JWT lib.
At present we have this: