Dependency json-smart should be upgraded due to CVE

[klettier]

Hi,

Snyk is detecting this CVE for json-smart dependency that should be upgraded from 2.4.8 to at least version 2.4.9.

Thx

[bschuhmann]

Even though the direct dependency to json-smart has been updated with 1.13.7, the old version is still a transitive dependency of com.nimbusds:oauth2-oidc-sdk:9.35.

[lilgreenbird]

We (MS JDBC Driver) are seeing this as well as we use msal4j so this is a transitive dependency for our driver. This is getting flagged by component governance on Azure DevOps as a high severity issue, I have just filed a vulnerability report on this as well https://msrc.microsoft.com/report/vulnerability/VULN-096883. For reference please see:

https://www.cve.org/CVERecord?id=CVE-2023-1370
https://nvd.nist.gov/vuln/detail/CVE-2023-1370
https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-3369748

The recommendation is to upgrade to 2.4.10 as this vulnerability was fixed in json-smart version 2.4.9, but the maintainer recommends upgrading to 2.4.10, due to a remaining bug.

[siddhijain]

@lilgreenbird Have you tried updating to the latest release 1.13.7 where we updated this library's version to 2.4.10? https://repo1.maven.org/maven2/com/microsoft/azure/msal4j/1.13.7/

[siddhijain]

@bschuhmann We will work on updating the nimbus library version in the next release. For a transitive dependency, you can explicitly exclude the undesired version.

[lilgreenbird]

@lilgreenbird Have you tried updating to the latest release 1.13.7 where we updated this library's version to 2.4.10? https://repo1.maven.org/maven2/com/microsoft/azure/msal4j/1.13.7/

yes and I've tried even the latest 1.14.0-beta

[siddhijain]

1.14.0-beta does not have the relevant changes. We released 1.13.7 with a version update for json-smart. If you get tagged with CVEs due to transitive dependency from nimbus, can you try excluding the json-smart dependency?

[lilgreenbird]

ok you are right, I didn't see 1.13.7 in listed in maven yet before. So this does update to 2.4.10, however, as mentioned by @bschuhmann there's still a transitive dependency to 2.4.8 via oauth2-oidc-sdk 9.35:

[siddhijain]

So the latest version of nimbus library uses 2.4.8 of json-smart. We can raise an issue in their library to get the version updated.

[akonarska]

Hi @siddhijain, it seems that nimbus updated version of json-smart in version 10.7.1 (based on maven-central https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk/10.7.1). Could you share when you plan to upgrade nimbus?

[Avery-Dunn]

@akonarska : As of the recent 1.13.8 release, we're now using 10.7.1 of oauth2-oidc-sdk. Once you update, let us know if you're still having issues with transitive dependencies.

[akonarska]

@Avery-Dunn I'm still waiting for azure-identity to pick up this update and will report back when I will be able to bump that and come back to you. They seem to be working on that now Azure/azure-sdk-for-java#34504

[billwert]

@akonarska Hello! This will be in our Identity release in early May.

[Avery-Dunn]

Closing this thread since the dependencies have been updated in MSAL Java. If there are still issues or any related questions, feel free to leave a comment or re-open.