Spring Security Update nimbus-jose-jwt because of CVE-2019-17195

There is a Security Vulnerability in com.nimbusds:nimbus-jose-jwt:7.8 and older see https://nvd.nist.gov/vuln/detail/CVE-2019-17195

Please update the dependency to nimbus-jose-jwt 7.9 or newer (currently 8.2). Can this also be updated in the older branches like 5.0.x ?

Comment From: jzheaux

Thanks for the report, @MichaelVetter. We'll make sure this gets updated in 5.3.

Regarding earlier releases, we typically don't pick up minor releases of other dependencies inside of a patch release. There are several reasons for that, but one of the immediate reasons is that Spring Boot won't pick up a patch release (of Spring Security) that contains a minor release upgrade (of Nimbus).

Could you tell me a bit more about what you are trying to accomplish? For example, if you are using Spring Boot for dependency management, you would still either need to manage the Spring Security dependency or the Nimbus dependency yourself until Boot picks up Spring Security's next minor release (5.3).

Comment From: MichaelVetter

If there are no code adaptions to Spring Security that are necessary because of the dependency update then we can handle the versions with maven. However, users that are not aware of this CVE will get the insecure dependency when they use the other branches.

Comment From: MichaelVetter

@jzheaux, why did you use version 7.8.1 instead of the identical 7.9? The NVD database still has the condition "Up to (excluding) 7.9" and the dependency check will fail.

Comment From: jzheaux

I selected 7.8.1 to ensure the upgrade would be taken up in the next Spring Boot point release.

Certainly, the fact that the CVE was fixed in a minor release upgrade is not ideal - and the fact that a public API got changed in a maintenance release is also not ideal. That said, I've reached out to Nimbus to update the CVE report to include 7.8.1 - you are welcome to add your voice to that: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/343/consider-a-781-patch-release

In the worst case, if a report indicates an application should upgrade to Nimbus 7.9, then the application can still do so quite easily.

Comment From: yuezk

@jzheaux It has been fixed in spring-security 5.2.x and 5.3.x, while I'm using 5.1.x and couldn't upgrade it to 5.2.x for now, so, how to upgrade the nimbus-jose-jwt dependency in 5.1.x?

Comment From: jzheaux

@yuezk, you should be able to specify in Maven or Gradle the version of nimbus-jose-jwt that you need. Did I understand your question?

Comment From: yuezk

Yes, that's what I'm tring to do.

Comment From: jzheaux

Sounds good, @yuezk. If you are having trouble with Maven or Gradle, I'd recommend posting a question to Stack Overflow for greater visibility. Feel free to post the link here, if you like, so others having the same trouble can follow that conversation.