connect2id / OAuth 2.0 SDK with OpenID Connect extensions / issues / #355 - Upgrade json-smart dependency to fix security vulnerability CVE-2021-27568 — Bitbucket

Issue #355 resolved

Roman Loyko created an issue 2021-04-05

The vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2021-27568 had been fixed by json-smart: https://github.com/netplex/json-smart-v2/issues/60

Please, create a PR for the fix: https://bitbucket.org/rloyko/oauth-2.0-sdk-with-openid-connect-extensions/src/4d79e73ccfd9aac1b364151a94c80a1bb18d7c8a/pom.xml#lines-73

Related with: https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/353/remove-json-smart-dependency-that-has

Comments (5)

Roman Loyko reporter
- edited description
- 2021-04-05T12:34:20+00:00
Roman Loyko reporter
- changed title to Upgrade json-smart dependency to fix security vulnerability CVE-2021-27568
- 2021-04-05T12:47:39+00:00
Roman Loyko reporter
- edited description
- 2021-04-05T12:55:56+00:00

Yavor Vasilev

There has been a fix for the CVE for some time now.

‌

version 9.2.1 (2021-02-25)
    * Catches unexpected exceptions in JSONUtils.parseJSON(String) into
      ParseException, see
      https://github.com/netplex/json-smart-v1/issues/7 (iss #347).

‌

Will bump JSON Smart in the next release.

2021-04-06T09:42:24+00:00

Yavor Vasilev
- changed status to resolved
Commit 0393113f bumps JSON Smart to [1.3.2,2.4.2]
- 2021-04-06T10:05:46+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Milestone: –

Votes: 2

Watchers: 3

Jira: the preferred issue tracker for Bitbucket. Join the team!