GHSA-pfv2-37f7-9m6w
Suggest an improvement- Source
- https://github.com/advisories/GHSA-pfv2-37f7-9m6w
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-pfv2-37f7-9m6w/GHSA-pfv2-37f7-9m6w.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-pfv2-37f7-9m6w
- Aliases
- Published
- 2022-05-13T01:30:32Z
- Modified
- 2023-11-08T03:58:54.822926Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Improper Verification of Cryptographic Signature in Nimbus JOSE+JWT
- Details
-
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
- Database specific
{ "nvd_published_at": "2017-08-20T16:29:00Z", "github_reviewed_at": "2022-07-01T20:20:30Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-347" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-12974
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
- https://github.com/felx/nimbus-jose-jwt
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E
Affected packages
Maven / com.nimbusds:nimbus-jose-jwt
Package
- Name
- com.nimbusds:nimbus-jose-jwt
- View open source insights on deps.dev
- Purl
- pkg:maven/com.nimbusds/nimbus-jose-jwt
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.36
Affected versions
2.*
2.9
2.10
2.10.1
2.11.0
2.12.0
2.13.0
2.13.1
2.14.0
2.15.0
2.15.1
2.15.2
2.16
2.17
2.17.1
2.17.2
2.18
2.18.1
2.18.2
2.19
2.19.1
2.20
2.21
2.22
2.22.1
2.23
2.24
2.25
2.26
2.26.1
3.*
3.0
3.1
3.1.1
3.1.2
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.6
3.7
3.8
3.8.1
3.8.2
3.9
3.9.1
3.9.2
3.10
4.*
4.0-rc1
4.0-rc2
4.0-rc3
4.0-rc4
4.0
4.0.1
4.1
4.1.1
4.2
4.3
4.3.1
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.11.1
4.11.2
4.12
4.13
4.13.1
4.14
4.15
4.15.1
4.16
4.16.1
4.16.2
4.17
4.18
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.26.1
4.27
4.27.1
4.28
4.29
4.30
4.31.1
4.32
4.33
4.34
4.34.1
4.34.2
4.35