Fix CVE errors

apache · Mar 18, 2024 · 51d9b82 · 51d9b82
1 parent 86a2401
commit 51d9b82
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/extensions-core/druid-pac4j/pom.xml b/extensions-core/druid-pac4j/pom.xml
@@ -38,7 +38,7 @@
 
     <!-- Following must be updated along with any updates to pac4j version. One can find the compatible version of nimbus libraries in org.pac4j:pac4j-oidc dependencies-->
     <nimbus.lang.tag.version>1.7</nimbus.lang.tag.version>
-    <nimbus.jose.jwt.version>8.22.1</nimbus.jose.jwt.version>
+    <nimbus.jose.jwt.version>9.37.2</nimbus.jose.jwt.version>
     <oauth2.oidc.sdk.version>8.22</oauth2.oidc.sdk.version>
   </properties>
 

diff --git a/owasp-dependency-check-suppressions.xml b/owasp-dependency-check-suppressions.xml
@@ -664,4 +664,22 @@
     ]]></notes>
     <cve>CVE-2023-36415</cve>
   </suppress>
+  <suppress>
+    <!-- Covers DOS on identity server by triggering high resource consumption. Used in Azure as a client.
+    Current latest version of Azure BOM (1.2.21) still uses 9.30.2, whereas bug resolved in 9.37.3 -->
+    <notes><![CDATA[
+   file name: nimbus-jose-jwt-9.30.2.jar
+   ]]></notes>
+    <cve>CVE-2023-52428</cve>
+  </suppress>
+  <suppress>
+    <!-- Legit issues but currently use the latest ranger-plugins-audit jar v2.4.0 -->
+    <notes><![CDATA[
+     file name: solr-solrj-8.11.2.jar
+     ]]></notes>
+    <cve>CVE-2023-50291</cve>
+    <cve>CVE-2023-50298</cve>
+    <cve>CVE-2023-50386</cve>
+    <cve>CVE-2023-50292</cve>
+  </suppress>
 </suppressions>