From 7c0f3ae2f316e5dd487d8dd931a06835c411d7a9 Mon Sep 17 00:00:00 2001
From: Usman Saleem <usman@usmans.info>
Date: Tue, 27 Feb 2024 10:55:16 +1000
Subject: [PATCH] Override nimbus-jose-jwt version to avoid CVE-2023-52428
 (#540)

---
 gradle/versions.gradle | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/gradle/versions.gradle b/gradle/versions.gradle
index 3f59c6b9..1c883c6f 100644
--- a/gradle/versions.gradle
+++ b/gradle/versions.gradle
@@ -157,7 +157,7 @@ dependencyManagement {
      */
     dependency 'commons-net:commons-net:3.9.0'
 
-    // manual overriding of json-smart and nimbus-jost-kwt to avoid CVE-2023-1370
+    // manual overriding of json-smart to avoid CVE-2023-1370
     /*
      +--- com.azure:azure-identity -> 1.8.1
      |    +--- com.microsoft.azure:msal4j:1.13.5
@@ -167,7 +167,15 @@ dependencyManagement {
      */
 
     dependency 'net.minidev:json-smart:2.4.10'
-    dependency 'com.nimbusds:nimbus-jose-jwt:9.31'
+    
+    // manual overriding of nimbus-jose-jwt to avoid CVE-2023-52428
+    /*
+    com.nimbusds:nimbus-jose-jwt:9.30.2 -> 9.31
+    \--- com.nimbusds:oauth2-oidc-sdk:10.7.1
+         \--- com.microsoft.azure:msal4j:1.14.0
+              +--- com.azure:azure-identity:1.11.1
+     */
+    dependency 'com.nimbusds:nimbus-jose-jwt:9.37.3'
 
     // addresses CVE-2023-3635
     dependency 'com.squareup.okio:okio:3.4.0'