Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade nimbus-jose-jwt:jar to 9.37.3 in Spring Security 5.8.x #15951

Open
blackat opened this issue Oct 18, 2024 · 1 comment
Open

Upgrade nimbus-jose-jwt:jar to 9.37.3 in Spring Security 5.8.x #15951

blackat opened this issue Oct 18, 2024 · 1 comment
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: waiting-for-feedback We need additional information before we can continue type: dependency-upgrade A dependency upgrade

Comments

@blackat
Copy link

blackat commented Oct 18, 2024

Hello,
would it be possible please to upgrade Nimbus dependency in Spring Security 5.8.x?
The library is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-52428.
@blackat blackat added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 18, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Oct 23, 2024

Hi, @blackat. This turns out to be tricky due to #13843. Please see #14245 for additional details.

A quick summary here is that Spring Security depends on oauth2-oidc-sdk:9.43.3 which in turn depends on nimbus-jose-jwt:9.24.4. It's important that these dependencies stay in sync. Because oauth2-oidc-sdk:10.x contains breaking changes, we cannot update to a later version of either in a maintenance release.

Are you able to update to a later version by overriding?

@jzheaux jzheaux self-assigned this Oct 23, 2024
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: dependency-upgrade A dependency upgrade and removed status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: waiting-for-feedback We need additional information before we can continue type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@blackat @jzheaux