CVE-2017-12974CVE-2017-12974

Affected configuration(s):

cpe:/a:connect2id:nimbus_jose%2bjwt:1.0
cpe:/a:connect2id:nimbus_jose%2bjwt:1.1
cpe:/a:connect2id:nimbus_jose%2bjwt:1.2
cpe:/a:connect2id:nimbus_jose%2bjwt:1.3
cpe:/a:connect2id:nimbus_jose%2bjwt:1.4
cpe:/a:connect2id:nimbus_jose%2bjwt:1.5
cpe:/a:connect2id:nimbus_jose%2bjwt:1.6
cpe:/a:connect2id:nimbus_jose%2bjwt:1.7
cpe:/a:connect2id:nimbus_jose%2bjwt:1.8
cpe:/a:connect2id:nimbus_jose%2bjwt:1.9
cpe:/a:connect2id:nimbus_jose%2bjwt:1.9.1
cpe:/a:connect2id:nimbus_jose%2bjwt:1.10
cpe:/a:connect2id:nimbus_jose%2bjwt:1.11
cpe:/a:connect2id:nimbus_jose%2bjwt:1.12
cpe:/a:connect2id:nimbus_jose%2bjwt:2.0
cpe:/a:connect2id:nimbus_jose%2bjwt:2.0.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.1.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.2
cpe:/a:connect2id:nimbus_jose%2bjwt:2.3
cpe:/a:connect2id:nimbus_jose%2bjwt:2.4
cpe:/a:connect2id:nimbus_jose%2bjwt:2.5
cpe:/a:connect2id:nimbus_jose%2bjwt:2.6
cpe:/a:connect2id:nimbus_jose%2bjwt:2.7
cpe:/a:connect2id:nimbus_jose%2bjwt:2.8
cpe:/a:connect2id:nimbus_jose%2bjwt:2.9
cpe:/a:connect2id:nimbus_jose%2bjwt:2.10
cpe:/a:connect2id:nimbus_jose%2bjwt:2.10.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.11.0
cpe:/a:connect2id:nimbus_jose%2bjwt:2.12.0
cpe:/a:connect2id:nimbus_jose%2bjwt:2.13.0
cpe:/a:connect2id:nimbus_jose%2bjwt:2.13.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.14
cpe:/a:connect2id:nimbus_jose%2bjwt:2.15
cpe:/a:connect2id:nimbus_jose%2bjwt:2.15.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.15.2
cpe:/a:connect2id:nimbus_jose%2bjwt:2.16
cpe:/a:connect2id:nimbus_jose%2bjwt:2.17
cpe:/a:connect2id:nimbus_jose%2bjwt:2.17.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.17.2
cpe:/a:connect2id:nimbus_jose%2bjwt:2.18
cpe:/a:connect2id:nimbus_jose%2bjwt:2.18.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.18.2
cpe:/a:connect2id:nimbus_jose%2bjwt:2.19
cpe:/a:connect2id:nimbus_jose%2bjwt:2.19.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.20
cpe:/a:connect2id:nimbus_jose%2bjwt:2.21
cpe:/a:connect2id:nimbus_jose%2bjwt:2.22
cpe:/a:connect2id:nimbus_jose%2bjwt:2.22.1
cpe:/a:connect2id:nimbus_jose%2bjwt:2.23
cpe:/a:connect2id:nimbus_jose%2bjwt:2.24
cpe:/a:connect2id:nimbus_jose%2bjwt:2.25
cpe:/a:connect2id:nimbus_jose%2bjwt:2.26
cpe:/a:connect2id:nimbus_jose%2bjwt:2.26.1
cpe:/a:connect2id:nimbus_jose%2bjwt:3.0
cpe:/a:connect2id:nimbus_jose%2bjwt:3.1
cpe:/a:connect2id:nimbus_jose%2bjwt:3.1.1
cpe:/a:connect2id:nimbus_jose%2bjwt:3.1.2
cpe:/a:connect2id:nimbus_jose%2bjwt:3.2
cpe:/a:connect2id:nimbus_jose%2bjwt:3.2.1
cpe:/a:connect2id:nimbus_jose%2bjwt:3.2.2
cpe:/a:connect2id:nimbus_jose%2bjwt:3.3
cpe:/a:connect2id:nimbus_jose%2bjwt:3.4
cpe:/a:connect2id:nimbus_jose%2bjwt:3.5
cpe:/a:connect2id:nimbus_jose%2bjwt:3.6
cpe:/a:connect2id:nimbus_jose%2bjwt:3.7
cpe:/a:connect2id:nimbus_jose%2bjwt:3.8
cpe:/a:connect2id:nimbus_jose%2bjwt:3.8.1
cpe:/a:connect2id:nimbus_jose%2bjwt:3.8.2
cpe:/a:connect2id:nimbus_jose%2bjwt:3.9
cpe:/a:connect2id:nimbus_jose%2bjwt:3.9.1
cpe:/a:connect2id:nimbus_jose%2bjwt:3.9.2
cpe:/a:connect2id:nimbus_jose%2bjwt:3.10
cpe:/a:connect2id:nimbus_jose%2bjwt:4.0
cpe:/a:connect2id:nimbus_jose%2bjwt:4.0.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.1.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.2
cpe:/a:connect2id:nimbus_jose%2bjwt:4.3
cpe:/a:connect2id:nimbus_jose%2bjwt:4.3.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.4
cpe:/a:connect2id:nimbus_jose%2bjwt:4.5
cpe:/a:connect2id:nimbus_jose%2bjwt:4.6
cpe:/a:connect2id:nimbus_jose%2bjwt:4.7
cpe:/a:connect2id:nimbus_jose%2bjwt:4.8
cpe:/a:connect2id:nimbus_jose%2bjwt:4.9
cpe:/a:connect2id:nimbus_jose%2bjwt:4.10
cpe:/a:connect2id:nimbus_jose%2bjwt:4.11
cpe:/a:connect2id:nimbus_jose%2bjwt:4.11.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.11.2
cpe:/a:connect2id:nimbus_jose%2bjwt:4.12
cpe:/a:connect2id:nimbus_jose%2bjwt:4.13
cpe:/a:connect2id:nimbus_jose%2bjwt:4.13.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.14
cpe:/a:connect2id:nimbus_jose%2bjwt:4.15
cpe:/a:connect2id:nimbus_jose%2bjwt:4.15.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.16
cpe:/a:connect2id:nimbus_jose%2bjwt:4.16.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.16.2
cpe:/a:connect2id:nimbus_jose%2bjwt:4.17
cpe:/a:connect2id:nimbus_jose%2bjwt:4.18
cpe:/a:connect2id:nimbus_jose%2bjwt:4.19
cpe:/a:connect2id:nimbus_jose%2bjwt:4.20
cpe:/a:connect2id:nimbus_jose%2bjwt:4.21
cpe:/a:connect2id:nimbus_jose%2bjwt:4.22
cpe:/a:connect2id:nimbus_jose%2bjwt:4.23
cpe:/a:connect2id:nimbus_jose%2bjwt:4.24
cpe:/a:connect2id:nimbus_jose%2bjwt:4.25
cpe:/a:connect2id:nimbus_jose%2bjwt:4.26
cpe:/a:connect2id:nimbus_jose%2bjwt:4.26.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.27
cpe:/a:connect2id:nimbus_jose%2bjwt:4.27.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.28
cpe:/a:connect2id:nimbus_jose%2bjwt:4.29
cpe:/a:connect2id:nimbus_jose%2bjwt:4.30
cpe:/a:connect2id:nimbus_jose%2bjwt:4.31
cpe:/a:connect2id:nimbus_jose%2bjwt:4.31.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.32
cpe:/a:connect2id:nimbus_jose%2bjwt:4.33
cpe:/a:connect2id:nimbus_jose%2bjwt:4.34
cpe:/a:connect2id:nimbus_jose%2bjwt:4.34.1
cpe:/a:connect2id:nimbus_jose%2bjwt:4.34.2
cpe:/a:connect2id:nimbus_jose%2bjwt:4.35

Date published: 2017-08-20T12:29:00.313-04:00

Date last modified: 2017-09-01T13:31:43.360-04:00

CVSS Score: 5.0

Principal attack vector: NETWORK

Complexity:  LOW

Reference URL: https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f

Summary: Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

CategoriesUncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.