2.x: Upgrade nimbus-jose-jwt
barchetta opened this issue · 1 comments
barchetta commented
OCI SDK 2.58.0 depends on nimbus-jose-jwt 9.15.2 which includes(shaded) json-smart 2.4.7 which has CVE-2023-28867
Apparently nimbus-jose-jwt 9.24.2 removes json-smart and switches to gson (see comments at bottom of https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/239/switch-to-other-json-library).
Could you please upgrade nimbus-jose-jwt to 9.24.2 or newer?
joshunter commented
Hi @barchetta , latest version of the legacy SDK v2.60.1 addresses this issue. See https://github.com/oracle/oci-java-sdk/blob/v2.60.1/pom.xml#L58