CVE-2021-27568

Question

CVE-2021-27568

Closed this issue 3 years ago · 3 comments

sirocchj commented 3 years ago

OCI Object storage brings in the following:

com.oracle.oci.sdk:oci-java-sdk-objectstorage@1.33.2 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@1.33.2 › com.oracle.oci.sdk:oci-java-sdk-common@1.33.2 › com.nimbusds:nimbus-jose-jwt@8.5 › net.minidev:json-smart@2.3
com.oracle.oci.sdk:oci-java-sdk-objectstorage@1.33.2 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@1.33.2 › com.oracle.oci.sdk:oci-java-sdk-common@1.33.2 › com.nimbusds:nimbus-jose-jwt@8.5 › net.minidev:json-smart@2.3
com.oracle.oci.sdk:oci-java-sdk-objectstorage@1.33.2 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions@1.33.2 › com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated@1.33.2 › com.oracle.oci.sdk:oci-java-sdk-common@1.33.2 › com.nimbusds:nimbus-jose-jwt@8.5 › net.minidev:json-smart@2.3

See netplex/json-smart-v2#62

Answer 1 · 2021-04-07T14:01:12.000Z

@sirocchj this appears to be fixed? at least the latest build passes Snyk with no problem.

Answer 2 · 2021-04-07T15:30:29.000Z

Not yet. The vulnerability was just reduced in scoring AFAICT.

This issue is from a third party, pulled inside the OCI SDK by nimbus-jose-jwt, which addressed it in its latest. However, OCI SDK is lagging significantly behind, see here.

Answer 3 · 2021-05-09T08:28:01.000Z

This is now closed with latest SDK at time of writing