upgrading nimbus-jose-jwt to version 9.31
649 views
Skip to first unread message
Anoop Chitreddy
Mar 22, 2023, 3:02:32 AM3/22/23
to WildFly
Hi,
We currently using wildfly-27.0.1.Final built using wildfly feature pack. Recently we received a warning from our dependency check tool indicating that json-smart v 2.4.8 is triggering a High severity CVE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1370
While upgrading this we found nimbus-jose-jwt 9.23 shipped with wildfly has 27.0.1 final has shaded json-smart with CVE. We would be safe to upgrade
nimbus-jose-jwt to version 9.31. I am asking this question because the module file for
nimbus-jose-jwt in wildfly is marking it as a private dependency. And is there any plan to upgrade nimbus-jose-jwt in next release of wildfly.
------------------------------------------------------------------------------------------------------------------------
<module name="com.nimbusds.nimbus-jose-jwt" xmlns="urn:jboss:module:1.9">
<properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="nimbus-jose-jwt-9.23.jar"/>
</resources>
<dependencies>
</dependencies>
</module>
------------------------------------------------------------------------------------------------------------------------<properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="nimbus-jose-jwt-9.23.jar"/>
</resources>
<dependencies>
</dependencies>
</module>
Appreciate your help.
Anoop
Reply all
Reply to author
Forward
0 new messages