Spring Security SNYK-JAVA-COMNIMBUSDS-1243767: Bump com.nimbusds:oauth2-oidc-sdk to version 9.3.1 or higher

Affected versions of com.nimbusds:oauth2-oidc-sdk are vulnerable to XML External Entity (XXE) Injection via the SAML2AssertionValidator method. Access to external entities was not disabled in XML parsing.

Upgrade com.nimbusds:oauth2-oidc-sdk to version 9.3.1 or higher.

The current latest release of Spring Security, 5.4.5, depends upon com.nimbusds:oauth2-oidc-sdk version 8.36.1

https://snyk.io/vuln/SNYK-JAVA-COMNIMBUSDS-1243767

Comment From: rwinch

Thanks for the report. The fix to nimbus was back ported to oauth2-oidc-sdk 8.36.1 and 7.1.3. For additional details please see the related discussion at https://github.com/spring-projects/spring-security/issues/9399#issuecomment-814380621