[
https://issues.apache.org/jira/browse/HADOOP-19687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020886#comment-18020886
]
ASF GitHub Bot commented on HADOOP-19687:
-----------------------------------------
rohit-kb commented on PR #7965:
URL: https://github.com/apache/hadoop/pull/7965#issuecomment-3302275652
Hi @pjfanning, can we use this patch instead of the original one as I don't
see any progress on that? We need this upgrade in the downstream soon.
Also, it seems like the original patch hasn't handled the shading of
com.github.stephenc.jcip:jcip-annotations in later nimbus versions. Thanks
> Upgrade nimbus-jose-jwt to 10.0.2+ due to CVE-2025-53864
> --------------------------------------------------------
>
> Key: HADOOP-19687
> URL: https://issues.apache.org/jira/browse/HADOOP-19687
> Project: Hadoop Common
> Issue Type: Task
> Reporter: Rohit Kumar
> Priority: Major
> Labels: pull-request-available
>
> *CVE-2025-53864:*
> Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause
> a denial of service via a deeply nested JSON object supplied in a JWT claim
> set, because of uncontrolled recursion. NOTE: this is independent of the Gson
> 2.11.0 issue because the Connect2id product could have checked the JSON
> object nesting depth, regardless of what limits (if any) were imposed by Gson.
> Severity: 6.9 (medium)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
