From 04c1102929b2253ad74272b7d5d8f9a01914620c Mon Sep 17 00:00:00 2001
From: Indhumathi <indhumathim27@gmail.com>
Date: Thu, 6 Feb 2025 18:27:09 +0530
Subject: [PATCH] HIVE-28704: Upgrade pac4j core and opensamlv3 and exclude
 Javax.json to fix CVE-2023-7272 (#5620) (Indhumathi Muthumurugesh, reviewed
 by Shohei Okumiya)

---
 pom.xml                      | 6 +++++-
 service/pom.xml              | 4 ++++
 standalone-metastore/pom.xml | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index f16874246174..80eafeb19dc7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -190,7 +190,7 @@
     <netty.version>4.1.116.Final</netty.version>
     <netty3.version>3.10.5.Final</netty3.version>
     <!-- used by druid storage handler -->
-    <pac4j-saml.version>4.5.5</pac4j-saml.version>
+    <pac4j-saml.version>4.5.8</pac4j-saml.version>
     <paranamer.version>2.8</paranamer.version>
     <parquet.version>1.14.4</parquet.version>
     <pig.version>0.16.0</pig.version>
@@ -880,6 +880,10 @@
             <groupId>org.javassist</groupId>
             <artifactId>javassist</artifactId>
           </exclusion>
+          <exclusion>
+            <groupId>org.glassfish</groupId>
+            <artifactId>javax.json</artifactId>
+          </exclusion>
           <exclusion>
             <!-- The dependency included in pac4j is old and has known CVEs.
             We exclude it from here and add a separate dependency down below.-->
diff --git a/service/pom.xml b/service/pom.xml
index 307050618aec..ec4fc6eea606 100644
--- a/service/pom.xml
+++ b/service/pom.xml
@@ -190,6 +190,10 @@
           <groupId>org.bouncycastle</groupId>
           <artifactId>bcprov-jdk15on</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>org.glassfish</groupId>
+          <artifactId>javax.json</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
diff --git a/standalone-metastore/pom.xml b/standalone-metastore/pom.xml
index 81e80833a8bf..7389058e8678 100644
--- a/standalone-metastore/pom.xml
+++ b/standalone-metastore/pom.xml
@@ -108,7 +108,7 @@
     <slf4j.version>1.7.30</slf4j.version>
     <httpcomponents.core.version>4.4.13</httpcomponents.core.version>
     <httpcomponents.client.version>4.5.13</httpcomponents.client.version>
-    <pac4j-core.version>4.5.5</pac4j-core.version>
+    <pac4j-core.version>4.5.8</pac4j-core.version>
     <nimbus-jose-jwt.version>9.37.3</nimbus-jose-jwt.version>
     <jetty.version>9.4.45.v20220203</jetty.version>
     <javax.annotation-api.version>1.3.2</javax.annotation-api.version>