search

AzureAD / microsoft-authentication-library-for-java

Microsoft Authentication Library (MSAL) for Java http://aka.ms/aadv2
MIT License
282 stars 137 forks source link

[Bug] Upgrade vulnerable com.nimbusds:oauth2-oidc-sdk dependency #779

Closed mathieudz closed 4 months ago

mathieudz commented 5 months ago

Library version used

1.14.2

Java version

17

Scenario

Other - please specify

Is this a new or an existing app?

The app is in production, and I have upgraded to a new version of MSAL

Issue description and reproduction steps

Vulnerable dependency: [INFO] +- com.microsoft.azure:msal4j:jar:1.14.2:compile [INFO] | +- com.nimbusds:oauth2-oidc-sdk:jar:10.7.1:compile [INFO] | | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile [INFO] | | +- com.nimbusds:content-type:jar:2.2:compile [INFO] | | +- com.nimbusds:lang-tag:jar:1.7:compile [INFO] | | - com.nimbusds:nimbus-jose-jwt:jar:9.30.2:compile

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '7,0': [ERROR] nimbus-jose-jwt-9.30.2.jar: CVE-2023-52428(7.5)

Relevant code snippets

No response

Expected behavior

No response

Identity provider

Microsoft Entra ID (Work and School accounts and Personal Microsoft accounts)

Regression

No response

Solution and workarounds

No response

bgavrilMS commented 5 months ago

Yes, the dependency https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/10.7.1 does have a CVE

I wonder why GitHub bot didn't warn us about this sooner ...

Avery-Dunn commented 5 months ago

Hello @mathieudz : Thanks for bringing this to our attention. That oauth2-oidc-sdk dependency is (in part) throwing a warning because it relies on the vulnerable 31.0.1-jre of Guava. In our test dependencies we explicitly call for the non-vulnerable Guava version 32.1.1-jre, which might be why our code checks didn't catch it

We'll get that oauth2-oidc-sdk dependency updated in our next release/a quick hotfix, and I'll update this thread once that's done.

In the meantime, as a workaround to get rid of the warnings you could add an explicit dependency on version 32.1.1-jre of Guava in your project, it's not vulnerable and it's what our tests use so there shouldn't be any compatibility issues.

tlopesPT commented 5 months ago

I'd like to point out that the vulnerabilities information on mvnrepository is outdated and does not include the CVE mentioned above, which was published on 2024-02-11 at https://www.cve.org/CVERecord?id=CVE-2023-52428 and is directly linked to Nimbus JOSE+JWT, therefor bumping Guava will not help.

We're waiting on this dependency update to add Microsoft Entra Id support to some of our products.

bgavrilMS commented 5 months ago

I'd like to point out that the vulnerabilities information on mvnrepository is outdated and does not include the CVE mentioned above, which was published on 2024-02-11 at https://www.cve.org/CVERecord?id=CVE-2023-52428 and is directly linked to Nimbus JOSE+JWT, therefor bumping Guava will not help.

We're waiting on this dependency update to add Microsoft Entra Id support to some of our products.

Yes, we will update MSAL library soon, a fix has already been done by a contributor https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/781 and @Avery-Dunn will cut a release, likely this week.

Avery-Dunn commented 4 months ago

Update on this: 1.14.3 has been released with the updated dependencies.

It is in Maven's central repo so you should be able to pull it in your project now, and it usually appears on that more user friendly mvnrepository site within a few hours to a few days.