Override nimbus-jose-jwt version to avoid CVE-2023-52428 (#540)

Consensys · Feb 27, 2024 · 7c0f3ae · 7c0f3ae
1 parent 9ede0b4
commit 7c0f3ae
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -157,7 +157,7 @@ dependencyManagement {
      */
     dependency 'commons-net:commons-net:3.9.0'
 
-    // manual overriding of json-smart and nimbus-jost-kwt to avoid CVE-2023-1370
+    // manual overriding of json-smart to avoid CVE-2023-1370
     /*
      +--- com.azure:azure-identity -> 1.8.1
      |    +--- com.microsoft.azure:msal4j:1.13.5
@@ -167,7 +167,15 @@ dependencyManagement {
      */
 
     dependency 'net.minidev:json-smart:2.4.10'
-    dependency 'com.nimbusds:nimbus-jose-jwt:9.31'
+
+    // manual overriding of nimbus-jose-jwt to avoid CVE-2023-52428
+    /*
+    com.nimbusds:nimbus-jose-jwt:9.30.2 -> 9.31
+    \--- com.nimbusds:oauth2-oidc-sdk:10.7.1
+         \--- com.microsoft.azure:msal4j:1.14.0
+              +--- com.azure:azure-identity:1.11.1
+     */
+    dependency 'com.nimbusds:nimbus-jose-jwt:9.37.3'
 
     // addresses CVE-2023-3635
     dependency 'com.squareup.okio:okio:3.4.0'