CVE-2024-57699 in net.minidev:[email protected]

[mehradrafigh]

There is a potential security issue in net.minidev:[email protected] which is listed on Maven Central and can be found via Snyk.

net.minidev.json-smart already released the fix with version 2.5.2

Please consider updating the dependency as soon as it is available through Maven Central.

[Avery-Dunn]

Hello @mehradrafigh : Thanks for letting us know, we'll use 2.5.2 of json-smart in our next release.

For now, last week we downgraded to a json-smart version which didn't seem to have the CVE and released 1.19.0 our our library: #905

[petarov]

The way I understand it json-smart:2.5.1 actually is a dependency of com.nimbusds:oauth2-oidc-sdk:11.18, so even if downgraded in msal4j:1.19.0 build tools like Gradle will resolve the higher version unless manually enforced in the dependent project.

net.minidev:json-smart:2.5.1
\--- com.nimbusds:oauth2-oidc-sdk:11.18
     \--- com.microsoft.azure:msal4j:1.19.0
          +--- compileClasspath (requested com.microsoft.azure:msal4j:{require 1.19.0; reject _})
          +--- com.azure:azure-identity:1.14.2 (requested com.microsoft.azure:msal4j:1.17.2)
          |    \--- compileClasspath (requested com.azure:azure-identity:{require 1.14.2; reject _})
          \--- com.microsoft.azure:msal4j-persistence-extension:1.3.0 (requested com.microsoft.azure:msal4j:1.15.0)
               \--- com.azure:azure-identity:1.14.2 (*)

net.minidev:json-smart:2.4.11 -> 2.5.1
\--- com.microsoft.azure:msal4j:1.19.0
     +--- compileClasspath (requested com.microsoft.azure:msal4j:{require 1.19.0; reject _})
     +--- com.azure:azure-identity:1.14.2 (requested com.microsoft.azure:msal4j:1.17.2)
     |    \--- compileClasspath (requested com.azure:azure-identity:{require 1.14.2; reject _})
     \--- com.microsoft.azure:msal4j-persistence-extension:1.3.0 (requested com.microsoft.azure:msal4j:1.15.0)
          \--- com.azure:azure-identity:1.14.2 (*)

[Avery-Dunn]

@petarov : I'm more familiar with Maven which prioritizes versions directly mentioned in the pom file, so if you just had msal4j (and oauth2-oidc-sdk was a transitive dependency through it) then I believe it would pull in json-smart:2.4.11. But if you had multiple json-smart transitive dependencies then it probably would default to the highest option.

Either way, at the time we released msal4j:1.19.0 the newest non-vulnerable version was json-smart:2.4.11. For the next release we'll add more exclusions to transitive dependencies to better control what versions are used, and other upcoming releases we're planning on removing as many dependencies as we can anyway: #909

[petarov]

Yes, you're right. There is a discrepancy in Maven vs. Gradle resolution strategy. I haven't used Maven for a while and forgot that it was different there. Thanks, looking forward to the next release.

[dfa1]

would it be possible to fix and release this soon?

[Avery-Dunn]

Hey all, msal4j 1.19.1 was released yesterday to bump the json-smart and oauth2-oidc-sdk versions: https://mvnrepository.com/artifact/com.microsoft.azure/msal4j/1.19.1

There shouldn't be any more issues with the CVE, but if there are still problems or any other issues feel free to re-open this thread or start a new one.