Update nimbus-jose-jwt because of CVE-2019-17195

[MichaelVetter]

There is a Security Vulnerability in com.nimbusds:nimbus-jose-jwt:7.8 and older see
https://nvd.nist.gov/vuln/detail/CVE-2019-17195

Please update the dependency to nimbus-jose-jwt 7.9 or newer (currently 8.2).
Can this also be updated in the older branches like 5.0.x ?

[jzheaux]

Thanks for the report, @MichaelVetter. We'll make sure this gets updated in 5.3.

Regarding earlier releases, we typically don't pick up minor releases of other dependencies inside of a patch release. There are several reasons for that, but one of the immediate reasons is that Spring Boot won't pick up a patch release (of Spring Security) that contains a minor release upgrade (of Nimbus).

Could you tell me a bit more about what you are trying to accomplish? For example, if you are using Spring Boot for dependency management, you would still either need to manage the Spring Security dependency or the Nimbus dependency yourself until Boot picks up Spring Security's next minor release (5.3).

[MichaelVetter]

If there are no code adaptions to Spring Security that are necessary because of the dependency update then we can handle the versions with maven. However, users that are not aware of this CVE will get the insecure dependency when they use the other branches.