[HIVE-27425] Upgrade Nimbus-JOSE-JWT to 9.24+ due to CVEs coming from json-smart - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.0.0-beta-1
Component/s: None
Labels:
- pull-request-available

Description

Nimbus-JOSE-JWT before 9.24 is using the vulnerable version of json-smart.

nimbus-jose-jwt has dropped the json-smart dependency completely with nimbus-jose-jwt 9.24 and replaces it with Gson 2.9.1 (shaded), as seen in the commit history here: https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/tag/9.24.

Json-smart before 2.4.9 is affected by CVE-2023-1370

CVE-2023-1370 - [Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib. When reaching a '[' or '{' character in the JSON input, the code parses an array or an object respectively. It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Attachments

Issue Links

links to

GitHub Pull Request #4400

Activity

People

Assignee:: Devaspati Krishnatri

Reporter:: Devaspati Krishnatri

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 09/Jun/23 07:16

Updated:: 15/Aug/23 06:33

Resolved:: 15/Jun/23 20:14