Connect2id server and CVE-2023-5072

16 October 2023

Our CVE scanner recently returned a DoS vulnerability for the JSON.org dependency org.json:json:20230227.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5072

Fortunately this dependency is used in a single, non-critical place, to evaluate JSON paths as part of a configuration check in the optional software statement verifier (SSV) plugin of the Connect2id server.

There is no need to take action, unless all of the following applies:

You have enabled open dynamic client registration:
```
op.reg.allowOpenRegistration=true
```
You have a Connect2id server deployment with an enabled SSV plugin:
```
op.ssv.enable=true
```
The plugin is configured for op.ssv.scopeRules.* that represent JSON Path queries.

Due to that fact that the scope rules check is performed only after a successfully authenticated (JWS validated) software statement, the DoS exploitation risk is minimal.

We have released a patched up SSV plugin that bumps the org.json:json dependency to 20231013.

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>software-statement-verifier</artifactId>
    <version>2.2.6</version>
</dependency>

The patched up SSV plugin will be included in the next Connect2id server release.