Upgrade nimbus-jose-jwt version to avoid CVE-2023-52428 (#969)

Consensys · Feb 15, 2024 · bec53cc · bec53cc
1 parent fc2c2f6
commit bec53cc
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -203,7 +203,7 @@ dependencyManagement {
      */
     dependency 'commons-net:commons-net:3.9.0'
 
-    // manual overriding of json-smart and nimbus-jost-kwt to avoid CVE-2023-1370
+    // manual overriding of json-smart to avoid CVE-2023-1370
     /*
      +--- com.azure:azure-identity -> 1.8.1
      |    +--- com.microsoft.azure:msal4j:1.13.5
@@ -213,7 +213,15 @@ dependencyManagement {
      */
 
     dependency 'net.minidev:json-smart:2.4.10'
-    dependency 'com.nimbusds:nimbus-jose-jwt:9.31'
+
+    // manual overriding of nimbus-jose-jwt to avoid CVE-2023-52428
+    /*
+    com.nimbusds:nimbus-jose-jwt:9.30.2 -> 9.31
+    \--- com.nimbusds:oauth2-oidc-sdk:10.7.1
+         \--- com.microsoft.azure:msal4j:1.14.0
+              +--- com.azure:azure-identity:1.11.1
+     */
+    dependency 'com.nimbusds:nimbus-jose-jwt:9.37.3'
 
     // besu 23.10.1 uses grpc 1.53.0 so vulnerable to
     // CVE-2023-32731, CVE-2023-33953, CVE-2023-44487, CVE-2023-4785