search

mitreid-connect / OpenID-Connect-Java-Spring-Server

An OpenID Connect reference implementation in Java on the Spring platform.
Other
1.48k stars 765 forks source link

CVE in openid-connect-client #1577

Open arunkumarthangavel opened 2 years ago

arunkumarthangavel commented 2 years ago

We scanned a project using dependency check plugin and it showed below CVEs in openid-connect-client.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27568 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8908 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14379 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27568 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17195 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1652 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1652 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22978 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027

Is there any version available without the above CVEs?

juananinca commented 2 years ago

I would add some more CVE's to the @arunkumarthangavel 's list.

CVE-2018-1260 CVE-2019-3778 CVE-2018-15758

This is because spring-security-oauth2 dependency is currently in 2.1.0.RELEASE:

        <dependency>  
        <groupId>org.springframework.security.oauth</groupId>  
        <artifactId>spring-security-oauth2</artifactId>  
        <version>2.1.0.RELEASE</version>  
    </dependency>

and it should be updated.

pmayeur commented 2 years ago

Is there any update on these CVEs? Any timeline for a fix?