Security issue in JWT 5.4.0

[alensiljak]

Hi!
The Jwt 5.4.0 is flagged as a security risk by SonarQube. It is used by Microsoft.AzureServiceBus.

Upgrading JWT to at least 5.7.0 would fix this.

[alensiljak]

😱

Do you have plans on updating the dependencies?

[niemyjski]

Hello,

We'd be willing to accept any pr's to update this.

[alensiljak]

Microsoft.Azure.ServiceBus is deprecated so it's a bit of a bigger issue than just a PR.

https://www.nuget.org/packages/Microsoft.Azure.ServiceBus

[niemyjski]

We need to get the azure libs updated and it's on our list (pr would be very grateful if you have some time). Problem is they keep coming out with a completely new package of which seems yearly and the one after this one had crazy management libraries, they've since removed due to pushback.

[alensiljak]

Thanks for the feedback! I'd like to help but, as usual, it's a matter of availability of time.
I'm waiting for some guidelines on how to proceed.

[alensiljak]

The quickest solution to this particular issue is to force a (currently) safe version of Jwt by adding

<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.7.0" />

to the project file. So, no pressure for now, until some other vulnerability is identified. :)