Upgrade com.nimbusds:nimbus-jose-jwt dependency #7720
Assignees
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: dependency-upgrade
A dependency upgrade
Milestone
Comments
spring-projects-issues
added
the
status: waiting-for-triage
fhanik
added
in: oauth2
|
I've requested input from @jzheaux. I remember there may be some incompatibilities that need to be resolved prior to fixing this. |
jzheaux
added
type: dependency-upgrade
|
The security vulnerability is fixed in version 7.8.1 (see #7570) but it is helpful that you upgraded the version. |
|
Correct, @MichaelVetter, because Spring Security was on 7.8.1, there's no security issue. It's always the goal to upgrade to the latest possible, though, so this was a good ticket either way. |
|
Ah, so it was a false positive because CVE did not get updated. Good to know, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Upgrade
com.nimbusds:nimbus-jose-jwtto version 7.9 or higher (it is currently 7.8.1, which seems to be the final bugfix version for 7.8 branch)There is a medium severity validation security vulnerability (snyk, blog) on lower versions.
The text was updated successfully, but these errors were encountered: