SNYK-JAVA-COMNIMBUSDS-1243767: Bump com.nimbusds:oauth2-oidc-sdk to version 9.3.1 or higher #9568

candrews · 2021-04-08T14:22:58Z

Affected versions of com.nimbusds:oauth2-oidc-sdk are vulnerable to XML External Entity (XXE) Injection via the SAML2AssertionValidator method. Access to external entities was not disabled in XML parsing.

Upgrade com.nimbusds:oauth2-oidc-sdk to version 9.3.1 or higher.

The current latest release of Spring Security, 5.4.5, depends upon com.nimbusds:oauth2-oidc-sdk version 8.36.1

https://snyk.io/vuln/SNYK-JAVA-COMNIMBUSDS-1243767

The text was updated successfully, but these errors were encountered:

rwinch · 2021-04-08T15:16:16Z

Thanks for the report. The fix to nimbus was back ported to oauth2-oidc-sdk 8.36.1 and 7.1.3. For additional details please see the related discussion at #9399 (comment)

candrews added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 8, 2021

rwinch added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 8, 2021

rwinch closed this as completed Apr 8, 2021

rwinch self-assigned this Apr 8, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

SNYK-JAVA-COMNIMBUSDS-1243767: Bump com.nimbusds:oauth2-oidc-sdk to version 9.3.1 or higher #9568

SNYK-JAVA-COMNIMBUSDS-1243767: Bump com.nimbusds:oauth2-oidc-sdk to version 9.3.1 or higher #9568

candrews commented Apr 8, 2021

rwinch commented Apr 8, 2021

Uh oh!

SNYK-JAVA-COMNIMBUSDS-1243767: Bump com.nimbusds:oauth2-oidc-sdk to version 9.3.1 or higher #9568

SNYK-JAVA-COMNIMBUSDS-1243767: Bump com.nimbusds:oauth2-oidc-sdk to version 9.3.1 or higher #9568

Comments

candrews commented Apr 8, 2021

rwinch commented Apr 8, 2021

Uh oh!