GHSA-jfmq-4g4m-99rh

Source

https://github.com/advisories/GHSA-jfmq-4g4m-99rh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jfmq-4g4m-99rh/GHSA-jfmq-4g4m-99rh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jfmq-4g4m-99rh

Aliases

CVE-2017-12973

Published

2022-05-13T01:42:51Z

Modified

2023-11-08T03:58:54.759362Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Nimbus JOSE+JWT vulnerable to padding oracle attack

Details

Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.

Database specific

{
    "nvd_published_at": "2017-08-20T16:29:00Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-354"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-08T23:03:33Z"
}

References

Affected packages

Maven / com.nimbusds:nimbus-jose-jwt

Package

Name: com.nimbusds:nimbus-jose-jwt; View open source insights on deps.dev
Purl: pkg:maven/com.nimbusds/nimbus-jose-jwt

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.39

Affected versions

2.*

2.9

2.10

2.10.1

2.11.0

2.12.0

2.13.0

2.13.1

2.14.0

2.15.0

2.15.1

2.15.2

2.16

2.17

2.17.1

2.17.2

2.18

2.18.1

2.18.2

2.19

2.19.1

2.20

2.21

2.22

2.22.1

2.23

2.24

2.25

2.26

2.26.1

3.*

3.0

3.1

3.1.1

3.1.2

3.2

3.2.1

3.2.2

3.3

3.4

3.5

3.6

3.7

3.8

3.8.1

3.8.2

3.9

3.9.1

3.9.2

3.10

4.*

4.0-rc1

4.0-rc2

4.0-rc3

4.0-rc4

4.0

4.0.1

4.1

4.1.1

4.2

4.3

4.3.1

4.4

4.5

4.6

4.7

4.8

4.9

4.10

4.11

4.11.1

4.11.2

4.12

4.13

4.13.1

4.14

4.15

4.15.1

4.16

4.16.1

4.16.2

4.17

4.18

4.19

4.20

4.21

4.22

4.23

4.24

4.25

4.26

4.26.1

4.27

4.27.1

4.28

4.29

4.30

4.31.1

4.32

4.33

4.34

4.34.1

4.34.2

4.35

4.36

4.36.1

4.37

4.37.1

4.38