- changed status to open
Fix CVE-2023-52428 in version 9.x (for Spring Security 6.x)
Hi maintainers of com.nimbusds:oauth2-oidc-sdk
:)!
Do you have plans to update com.nimbusds:nimbus-jose-jwt
in your 9.x branch? Our vulnerability scanning shows CVE-2023-52428 in your library which we get as transitive dependency of org.springframework.security:spring-security-oauth2-client
.
It would be really nice to get a version update instead of maintaining the version on our side. :)
Cheers,
Christopher
Comments (4)
-
-
Hi Christopher,
The JWT lib dep and a bunch of other deps had been bumped and published in this 9.x :
version 9.43.4 (2024-03-04) * Updates Nimbus JOSE+JWT to 9.37.3 which fixes CVE-2023-52428. Note that the CVE does not affect this project (iss #459). * Updates optional BouncyCastle to 1.77. * Updates optional Apache Santuario XMLSec to 2.3.4 * Updates optional com.google.guava:guava:32.0.1-jre
https://repo1.maven.org/maven2/com/nimbusds/oauth2-oidc-sdk/9.43.4/
CVE-2023-52428 had no effect on the SDK because the JWE KDF alg is not used for anything.
Happy coding!
-
- changed status to resolved
-
reporter Hi Yavor!
Thanks for updating and for mentioning that the SDK is not affected!
Have a great day!
Christopher
- Log in to comment