dancrumb
commented
2 years ago Turns out, this isn't trivial. v3 of Jose is a breaking change as is v4
Closed dancrumb closed 2 years ago
dancrumb
commented
2 years ago Turns out, this isn't trivial. v3 of Jose is a breaking change as is v4
adamjmcgrath
commented
2 years ago Thanks for raising this @dancrumb
That vulnerability has been patched in jose@2.0.5 see https://github.com/panva/jose/security/advisories/GHSA-58f5-hfqc-jgch
dancrumb
commented
2 years ago Thanks for the response Adam.
However, that linked vulnerability points to CVE-2021-29443, not CVE-2021-29446.
https://github.com/panva/jose/security/advisories/GHSA-rvcw-f68w-8h8h is the GitHub advisory for this CVE
adamjmcgrath
commented
2 years ago They're for the same vulnerability
The CVE you are pointing to (CVE-2021-29446) is for jose-node-cjs-runtime which is a flavour jose that did not exist in 2.0.5 (which is why it doesn't mention 2.x in the disclosure).
The correct CVE for this vulnerability in jose (which this SDK uses) is the one I pointed to (CVE-2021-29443) - and was patched in jose@2.0.5
Currently,
jwks-rsadepends onjose@2.0.5This is impacted by CVE-2021-29446.
This is addressed at
jose@>=3.11.4I tried to use the
overridesproperty in mypackage.json, but that did not help.Can you release a new version of this module with an update
josedependency, please?