Strimzi-Kafka-Oauth jsonpath to 2.8.0 due to CVE-2023-1370

Question

Strimzi-Kafka-Oauth jsonpath to 2.8.0 due to CVE-2023-1370

cesaroangelo opened this issue 2 years ago · 1 comments

Hello,

Looking at the latest commits, the jsonpath library is being upgraded to 2.8.0 and that implies the upgrade of the json-smart to 2.4.10 fixing the CVE-2023-1370.

+--- io.strimzi:kafka-oauth-common:0.12.0
|    +--- com.nimbusds:nimbus-jose-jwt:9.10 -> 9.31 (*)
|    +--- com.fasterxml.jackson.core:jackson-databind:2.13.4.2 -> 2.14.2 (*)
|    \--- com.jayway.jsonpath:json-path:2.6.0
|         +--- net.minidev:json-smart:2.4.7
|         |    \--- net.minidev:accessors-smart:2.4.7

I have a question about this, is there a rough ETA regarding the next release?

regards,
Angelo

Answer 1 · 2023-07-07T14:03:48.000Z

OAuth 0.13.0 CR1 is just around the corner with GA early next week.