Skip to content

Upgrade nimbus-jose-jwt:jar to 9.37.3 in Spring Security 5.8.x #15951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
blackat opened this issue Oct 18, 2024 · 3 comments
Open

Upgrade nimbus-jose-jwt:jar to 9.37.3 in Spring Security 5.8.x #15951

blackat opened this issue Oct 18, 2024 · 3 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: feedback-provided Feedback has been provided type: dependency-upgrade A dependency upgrade

Comments

@blackat
Copy link

blackat commented Oct 18, 2024

Hello,
would it be possible please to upgrade Nimbus dependency in Spring Security 5.8.x?
The library is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-52428.
@blackat blackat added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 18, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Oct 23, 2024

Hi, @blackat. This turns out to be tricky due to #13843. Please see #14245 for additional details.

A quick summary here is that Spring Security depends on oauth2-oidc-sdk:9.43.3 which in turn depends on nimbus-jose-jwt:9.24.4. It's important that these dependencies stay in sync. Because oauth2-oidc-sdk:10.x contains breaking changes, we cannot update to a later version of either in a maintenance release.

Are you able to update to a later version by overriding?

@jzheaux jzheaux self-assigned this Oct 23, 2024
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: dependency-upgrade A dependency upgrade and removed status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 23, 2024
@spring-projects-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Oct 30, 2024
@blackat
Copy link
Author

blackat commented Nov 5, 2024

Hello @jzheaux,
thanks a lot for your answer, the issue is mainly for some teams where I work who cannot upgrade yet to Spring Security 6 due to different EE and JDK, they will upgrade probably later.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue labels Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: feedback-provided Feedback has been provided type: dependency-upgrade A dependency upgrade
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@blackat @jzheaux @spring-projects-issues