Spring Security 5.2.1 references vulnerable Nimbus version

[beckermarc]

Spring Security 5.2.1 references a vulnerable artifact nimbus-jose-jwt-7.8.jar.
The vulnerability is fixed with Spring Security 5.2.2.

Please update Spring Security to 5.2.2, Spring Boot to 2.2.5 and Spring Core to 5.2.4
These versions are compatible with each other, as they are also referenced like that in the latest Spring Boot release 2.2.5

[nenaraab]

Thanks, Marc,

For reporting!

Best regards,
Nena

[nenaraab]

Hi @beckermarc ,
as all Spring-dependencies are scope-provided, we will deliver it with our next release next week.
Would that be okay?

[beckermarc]

We use xsuaa-spring-boot-starter and there the spring dependencies are not used with scope provided. Having these changes in the release next week is fine. We have so far mitigated the vulnerabilities in our own POM, by already including the higher versions of these dependencies ourselves.

[nenaraab]

fix provided with version 2.5.2.