GHSA-jfmq-4g4m-99rh

Suggest an improvement
Source
https://github.com/advisories/GHSA-jfmq-4g4m-99rh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jfmq-4g4m-99rh/GHSA-jfmq-4g4m-99rh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jfmq-4g4m-99rh
Aliases
Published
2022-05-13T01:42:51Z
Modified
2023-11-08T03:58:54.759362Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Nimbus JOSE+JWT vulnerable to padding oracle attack
Details

Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.

References

Affected packages

Maven / com.nimbusds:nimbus-jose-jwt

Package

Name
com.nimbusds:nimbus-jose-jwt
View open source insights on deps.dev
Purl
pkg:maven/com.nimbusds/nimbus-jose-jwt

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.39

Affected versions

2.*

2.9
2.10
2.10.1
2.11.0
2.12.0
2.13.0
2.13.1
2.14.0
2.15.0
2.15.1
2.15.2
2.16
2.17
2.17.1
2.17.2
2.18
2.18.1
2.18.2
2.19
2.19.1
2.20
2.21
2.22
2.22.1
2.23
2.24
2.25
2.26
2.26.1

3.*

3.0
3.1
3.1.1
3.1.2
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.6
3.7
3.8
3.8.1
3.8.2
3.9
3.9.1
3.9.2
3.10

4.*

4.0-rc1
4.0-rc2
4.0-rc3
4.0-rc4
4.0
4.0.1
4.1
4.1.1
4.2
4.3
4.3.1
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.11.1
4.11.2
4.12
4.13
4.13.1
4.14
4.15
4.15.1
4.16
4.16.1
4.16.2
4.17
4.18
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.26.1
4.27
4.27.1
4.28
4.29
4.30
4.31.1
4.32
4.33
4.34
4.34.1
4.34.2
4.35
4.36
4.36.1
4.37
4.37.1
4.38