azure-activedirectory-library-for-java icon indicating copy to clipboard operation
azure-activedirectory-library-for-java copied to clipboard
verified publisher icon AzureAD

Vulnerability introduced by com.nimbusds:oauth2-oidc-sdk v9.4

Open cheenamalhotra opened this issue 4 years ago • 0 comments

com.nimbusds:oauth2-oidc-sdk v9.4 depends on net.minidev » json-smart v1.3.3,2.4.2 which introduces below mentioned vulnerability. https://github.com/AzureAD/azure-activedirectory-library-for-java/blob/72dd774534adefa97c62289747b536ca12e6641c/pom.xml#L70-L74

Vulnerability details

CVE-2021-31684

A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.

Severity

Medium

Recommendation

Upgrade to version net.minidev:json-smart:1.3.3,2.4.5

For ADAL: Upgrade to com.nimbusds:oauth2-oidc-sdk v9.5+

cheenamalhotra avatar Nov 16 '21 23:11 cheenamalhotra