1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

Fix CVE-2023-52428 in version 9.x (for Spring Security 6.x)

Issue #459 resolved
Christopher Cudennec created an issue

Hi maintainers of com.nimbusds:oauth2-oidc-sdk :)!

Do you have plans to update com.nimbusds:nimbus-jose-jwt in your 9.x branch? Our vulnerability scanning shows CVE-2023-52428 in your library which we get as transitive dependency of org.springframework.security:spring-security-oauth2-client.

It would be really nice to get a version update instead of maintaining the version on our side. :)

Cheers,

Christopher

Comments (4)

  2. Yavor Vasilev

    Hi Christopher,

    The JWT lib dep and a bunch of other deps had been bumped and published in this 9.x :

    version 9.43.4 (2024-03-04)
    * Updates Nimbus JOSE+JWT to 9.37.3 which fixes CVE-2023-52428. Note that
      the CVE does not affect this project (iss #459).
    * Updates optional BouncyCastle to 1.77.
    * Updates optional Apache Santuario XMLSec to 2.3.4
    * Updates optional com.google.guava:guava:32.0.1-jre

    https://repo1.maven.org/maven2/com/nimbusds/oauth2-oidc-sdk/9.43.4/

    CVE-2023-52428 had no effect on the SDK because the JWE KDF alg is not used for anything.

    Happy coding!

  4. Christopher Cudennec reporter

    Hi Yavor!

    Thanks for updating and for mentioning that the SDK is not affected!

    Have a great day!

    Christopher

  5. Log in to comment
Assignee
Type
proposal
Priority
major
Status
resolved
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!