CVE in openid-connect-client

[arunkumarthangavel]

We scanned a project using dependency check plugin and it showed below CVEs in openid-connect-client.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27568
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8908
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14379
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27568
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17195
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1652
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1652
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22978
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000027

Is there any version available without the above CVEs?

[juananinca]

I would add some more CVE's to the @arunkumarthangavel 's list.

CVE-2018-1260
CVE-2019-3778
CVE-2018-15758

This is because spring-security-oauth2 dependency is currently in 2.1.0.RELEASE:

        <dependency>  
		<groupId>org.springframework.security.oauth</groupId>  
		<artifactId>spring-security-oauth2</artifactId>  
		<version>2.1.0.RELEASE</version>  
	</dependency>  

and it should be updated.

[pmayeur]

Is there any update on these CVEs? Any timeline for a fix?