Closed mathieudz closed 4 months ago
Yes, the dependency https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/10.7.1 does have a CVE
I wonder why GitHub bot didn't warn us about this sooner ...
Hello @mathieudz : Thanks for bringing this to our attention. That oauth2-oidc-sdk dependency is (in part) throwing a warning because it relies on the vulnerable 31.0.1-jre of Guava. In our test dependencies we explicitly call for the non-vulnerable Guava version 32.1.1-jre, which might be why our code checks didn't catch it
We'll get that oauth2-oidc-sdk dependency updated in our next release/a quick hotfix, and I'll update this thread once that's done.
In the meantime, as a workaround to get rid of the warnings you could add an explicit dependency on version 32.1.1-jre of Guava in your project, it's not vulnerable and it's what our tests use so there shouldn't be any compatibility issues.
I'd like to point out that the vulnerabilities information on mvnrepository is outdated and does not include the CVE mentioned above, which was published on 2024-02-11 at https://www.cve.org/CVERecord?id=CVE-2023-52428 and is directly linked to Nimbus JOSE+JWT, therefor bumping Guava will not help.
We're waiting on this dependency update to add Microsoft Entra Id support to some of our products.
I'd like to point out that the vulnerabilities information on mvnrepository is outdated and does not include the CVE mentioned above, which was published on 2024-02-11 at https://www.cve.org/CVERecord?id=CVE-2023-52428 and is directly linked to Nimbus JOSE+JWT, therefor bumping Guava will not help.
We're waiting on this dependency update to add Microsoft Entra Id support to some of our products.
Yes, we will update MSAL library soon, a fix has already been done by a contributor https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/781 and @Avery-Dunn will cut a release, likely this week.
Update on this: 1.14.3 has been released with the updated dependencies.
It is in Maven's central repo so you should be able to pull it in your project now, and it usually appears on that more user friendly mvnrepository site within a few hours to a few days.
Library version used
1.14.2
Java version
17
Scenario
Other - please specify
Is this a new or an existing app?
The app is in production, and I have upgraded to a new version of MSAL
Issue description and reproduction steps
Vulnerable dependency: [INFO] +- com.microsoft.azure:msal4j:jar:1.14.2:compile [INFO] | +- com.nimbusds:oauth2-oidc-sdk:jar:10.7.1:compile [INFO] | | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile [INFO] | | +- com.nimbusds:content-type:jar:2.2:compile [INFO] | | +- com.nimbusds:lang-tag:jar:1.7:compile [INFO] | | - com.nimbusds:nimbus-jose-jwt:jar:9.30.2:compile
[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7,0': [ERROR] nimbus-jose-jwt-9.30.2.jar: CVE-2023-52428(7.5)
Relevant code snippets
No response
Expected behavior
No response
Identity provider
Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)
Regression
No response
Solution and workarounds
No response