CVE-2017-12973

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-12973

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12973.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2017-12973

Aliases

GHSA-jfmq-4g4m-99rh

Published

2017-08-20T16:29:00Z

Modified

2025-10-21T04:10:31.312772Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.

References

Affected packages

Git / bitbucket.org/connect2id/nimbus-jose-jwt

Affected ranges

Type: GIT
Repo: https://bitbucket.org/connect2id/nimbus-jose-jwt
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

6a29f10f723f406eb25555f55842c59a43a38912

Affected versions

2.*

2.0

2.0.1

2.1

2.1.1

2.10

2.10.1

2.11.0

2.12.0

2.13.0

2.13.1

2.14.0

2.15.0

2.15.1

2.15.2

2.16

2.17

2.17.1

2.17.2

2.18

2.18.1

2.18.2

2.19

2.19.1

2.2

2.20

2.21

2.22

2.22.1

2.23

2.24

2.25

2.26

2.26.1

2.3

2.4

2.5

2.6

2.7

2.8

2.9

3.*

3.0

3.1

3.1.1

3.1.2

3.10

3.2

3.2.1

3.2.2

3.3

3.4

3.5

3.6

3.7

3.8

3.8.1

3.8.2

3.9

3.9.1

3.9.2

4.*

4.0

4.0-rc1

4.0-rc2

4.0-rc3

4.0-rc4

4.0.1

4.1

4.1.1

4.10

4.11

4.11.1

4.11.2

4.12

4.13.1

4.14

4.15

4.15.1

4.16

4.16.1

4.16.2

4.17

4.18

4.19

4.2

4.20

4.21

4.22

4.23

4.24

4.25

4.26

4.26.1

4.27

4.27.1

4.28

4.29

4.3

4.3.1

4.30

4.31.1

4.32

4.33

4.34

4.34.1

4.34.2

4.35

4.36

4.36.1

4.37

4.37.1

4.38

4.4

4.5

4.6

4.7

4.8

4.9

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "source": "https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "36435077182769648824144539200763482764",
                "221225405666008085863157926433643063529",
                "248275944443145673308968769694312607101",
                "320447986941090818350865767914465061256",
                "257738106142193723590480276808990837124",
                "190253527059679348300378316158431539755",
                "15674162120766882722956143379512560123"
            ]
        },
        "target": {
            "file": "src/test/java/com/nimbusds/jose/crypto/AESCBCTest.java"
        },
        "id": "CVE-2017-12973-83ba7880",
        "signature_version": "v1",
        "signature_type": "Line"
    },
    {
        "deprecated": false,
        "source": "https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912",
        "digest": {
            "function_hash": "30873108536757750440668463301508600213",
            "length": 831.0
        },
        "target": {
            "function": "decryptAuthenticated",
            "file": "src/main/java/com/nimbusds/jose/crypto/AESCBC.java"
        },
        "id": "CVE-2017-12973-8fddb8aa",
        "signature_version": "v1",
        "signature_type": "Function"
    },
    {
        "deprecated": false,
        "source": "https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912",
        "digest": {
            "function_hash": "236213427891800737982253186864940241476",
            "length": 1109.0
        },
        "target": {
            "function": "decryptWithConcatKDF",
            "file": "src/main/java/com/nimbusds/jose/crypto/AESCBC.java"
        },
        "id": "CVE-2017-12973-bc84ece8",
        "signature_version": "v1",
        "signature_type": "Function"
    },
    {
        "deprecated": false,
        "source": "https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "35018700141178900754895011799387586413",
                "23210894372056268032297871442564513847",
                "102375337653080225852646387558193098844",
                "143802061001915409894760621002970574355",
                "186448877813480750470093697857407943500",
                "156186524451473883298028680057499734344",
                "314799720785399631741077152447637097045",
                "332890821269199314396999039272601680450",
                "115380475547764836096130112939018077308",
                "112515943459359502487605947776116967647",
                "172612522757869334105109761993727279884",
                "142039361351170592512047791599796892391",
                "95946088047134294800092685466486312825",
                "60152373669270615370440034498579187985",
                "280492070757543771453027851327819029791",
                "221403414440494563007614824018889324485",
                "1894466923688934958026594011629943405",
                "59741151086996169066197142383462513440",
                "233078262287712076948859519221598030403",
                "30861009376071704210913003331615204446",
                "332947917171967944776808918114577282512",
                "18136453160694785944270925616851898192",
                "40475491843953653643162699661677929363",
                "151246875674351598710595633477384636928",
                "322974018495388437913836007418169443313",
                "76069166384751547997871421196598149788",
                "44437097317994459278761123799175645327",
                "277190829670493988396513370163311149761",
                "94546924572782216804672716981269134975",
                "82318690769468239319429518385763591879"
            ]
        },
        "target": {
            "file": "src/main/java/com/nimbusds/jose/crypto/AESCBC.java"
        },
        "id": "CVE-2017-12973-f4fd57ce",
        "signature_version": "v1",
        "signature_type": "Line"
    }
]