spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Upgrade nimbus-jose-jwt:jar to 9.37.3 in Spring Security 5.8.x

Open blackat opened this issue 1 year ago • 4 comments

Hello, would it be possible please to upgrade Nimbus dependency in Spring Security 5.8.x? The library is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-52428.

blackat avatar Oct 18 '24 09:10 blackat

Hi, @blackat. This turns out to be tricky due to https://github.com/spring-projects/spring-security/issues/13843. Please see https://github.com/spring-projects/spring-security/issues/14245 for additional details.

A quick summary here is that Spring Security depends on oauth2-oidc-sdk:9.43.3 which in turn depends on nimbus-jose-jwt:9.24.4. It's important that these dependencies stay in sync. Because oauth2-oidc-sdk:10.x contains breaking changes, we cannot update to a later version of either in a maintenance release.

Are you able to update to a later version by overriding?

jzheaux avatar Oct 23 '24 00:10 jzheaux

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues avatar Oct 30 '24 00:10 spring-projects-issues

Hello @jzheaux, thanks a lot for your answer, the issue is mainly for some teams where I work who cannot upgrade yet to Spring Security 6 due to different EE and JDK, they will upgrade probably later.

blackat avatar Nov 05 '24 15:11 blackat

Related gh-14245

jgrandja avatar Jun 11 '25 20:06 jgrandja

@blackat 5.8.x is no longer supported in OSS. Please see the supported versions.

jgrandja avatar Jul 16 '25 19:07 jgrandja