Hi
Hope you are doing well.
We are currently using this component on our solution (v 4.0.4 - but the issue exists on the latest one as well) and wanted to let you know that a security vulnerability has been found in the 'System.Text.Json@7.0.3' dependency that is being used in JWT_Core extension.
Additionally, it seems that dependency is not being used.
Do you confirm that this dependency can be safely removed?
Are you planning to release a new version addressing this vulnerability?
You can check the vulnerability here: https://security.snyk.io/vuln/SNYK-DOTNET-SYSTEMTEXTJSON-7433719
Best Regards
Hi Luís,
Thank you for letting us know. This dependency can't be removed because it is transitively referenced by Microsoft.IdentityModel.JsonWebTokens, Microsoft.IdentityModel.Tokens and System.IdentityModel.Tokens.Jwt
I prepared a new version of JWT Forge component to remediate to this vulnerability (v4.1.2), with System.Text.Json now upgraded to 8.0.4
Please let us know if it fixes your issue: https://www.outsystems.com/forge/component-overview/1853/jwt-o11
Thank you
Thanks for the quick reply. We will check the new version then :)
Best Regards.
There seems to be a similar issue now which should be patched by referencing System.Text.Json version 8.0.5 or higher link . Can you update the forge component so that code analysis tools do not mention the vulnerability anymore? Is it sufficient to just update the PackageVersion field for the dependency in the file licenses.json?
Hi Jonathan,
Thanks for pointing out the vulnerability.
I uploaded a new version of JWT component on the Forge, please try to download JWT v4.1.4 (in which System.Text.Json.8.0.4 has been replaced by System.Text.Json.8.0.5): https://www.outsystems.com/forge/component-overview/1853/jwt-o11
FYI, modifying the licenses.json file is not sufficient to fix the vulnerability. Many libraries have been upgraded in this new version as you can see in the release notes.
Thanks for the update!