From f4d2fdaadd2d7d7b8e4273c4f946bbe276d0b667 Mon Sep 17 00:00:00 2001
From: Andreas Svanberg <andreass@dsv.su.se>
Date: Thu, 20 Feb 2025 14:10:22 +0100
Subject: [PATCH] Fix CVE-2024-57699 by override transitive dependency version

The overriding should be removed once Spring Security updates its dependencies.
---
 pom.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/pom.xml b/pom.xml
index 42018f99dc..a43a6491cd 100755
--- a/pom.xml
+++ b/pom.xml
@@ -39,6 +39,12 @@
         <jersey.version>3.1.6</jersey.version>
         <poi.version>5.2.5</poi.version>
         <jackson.version>2.17.0</jackson.version>
+
+        <!--
+            When updating spring-boot check if the transitive dependency on json-smart has been
+            updated to 2.5.2 or later.
+            If so, remove the dependency managed version of json-smart
+        -->
         <spring.boot.version>3.4.1</spring.boot.version>
         <springdoc.openapi.version>2.8.3</springdoc.openapi.version>
 
@@ -213,6 +219,20 @@
                 <version>2.0.2</version>
                 <scope>runtime</scope>
             </dependency>
+            <dependency>
+                <!--
+                2.5.1 is brought in transitively by
+                  spring-boot-starter-oauth2-client
+                    spring-security-oauth2-client
+                      oauth2-oidc-sdk
+                        json-smart
+                it has a known security vulnerability that's fixed in 2.5.2
+                should be removed when spring-boot-starter-oauth2-client is updated
+                -->
+                <groupId>net.minidev</groupId>
+                <artifactId>json-smart</artifactId>
+                <version>2.5.2</version>
+            </dependency>
 
             <!-- Test stuff -->
             <dependency>
-- 
2.39.5