CVE-2023-52428 in dependency com.nimbusds:nimbus-jose-jwt #2041
Comments
|
thanks for bringing this to our attention. |
|
I take it this CVE is still not addressed based on this commit We are currently very old MSAL version 4.4.0 - and our gradle.lockfile is flagging CVE-2023-52428. Is there version where this issue is fixed? |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
MSAL 5.1.0 (most recent so far) has a dependency on com.nimbusds:nimbus-jose-jwt:9.9 which has the following vulnerability:
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
https://nvd.nist.gov/vuln/detail/CVE-2023-52428
https://ossindex.sonatype.org/vulnerability/CVE-2023-52428
Mitigation: Please update com.nimbusds:nimbus-jose-jwt dependency to v9.37.2 or newer
The text was updated successfully, but these errors were encountered: