Upgrade nimbus-jose-jwt:jar to 9.37.3 in Spring Security 5.8.x

[blackat]

Hello, would it be possible please to upgrade Nimbus dependency in Spring Security 5.8.x? The library is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-52428.

[jzheaux]

Hi, @blackat. This turns out to be tricky due to https://github.com/spring-projects/spring-security/issues/13843. Please see https://github.com/spring-projects/spring-security/issues/14245 for additional details.

A quick summary here is that Spring Security depends on oauth2-oidc-sdk:9.43.3 which in turn depends on nimbus-jose-jwt:9.24.4. It's important that these dependencies stay in sync. Because oauth2-oidc-sdk:10.x contains breaking changes, we cannot update to a later version of either in a maintenance release.

Are you able to update to a later version by overriding?

[spring-projects-issues]

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

[blackat]

Hello @jzheaux, thanks a lot for your answer, the issue is mainly for some teams where I work who cannot upgrade yet to Spring Security 6 due to different EE and JDK, they will upgrade probably later.