Lucene search

[email protected]CVE-2017-12972

HistoryAug 20, 2017 - 4:29 p.m.

CVE-2017-12972

2017-08-2016:29:00

CWE-345

[email protected]

web.nvd.nist.gov

cve-2017-12972

nimbus jose+jwt

integer-overflow

hmac bypass attacks

information security

nvd

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.6%

JSON

In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.

Affected configurations

NVD

Node

connect2idnimbus_jose\+jwtMatch1.0

connect2idnimbus_jose\+jwtMatch1.1

connect2idnimbus_jose\+jwtMatch1.2

connect2idnimbus_jose\+jwtMatch1.3

connect2idnimbus_jose\+jwtMatch1.4

connect2idnimbus_jose\+jwtMatch1.5

connect2idnimbus_jose\+jwtMatch1.6

connect2idnimbus_jose\+jwtMatch1.7

connect2idnimbus_jose\+jwtMatch1.8

connect2idnimbus_jose\+jwtMatch1.9

connect2idnimbus_jose\+jwtMatch1.9.1

connect2idnimbus_jose\+jwtMatch1.10

connect2idnimbus_jose\+jwtMatch1.11

connect2idnimbus_jose\+jwtMatch1.12

connect2idnimbus_jose\+jwtMatch2.0

connect2idnimbus_jose\+jwtMatch2.0.1

connect2idnimbus_jose\+jwtMatch2.1

connect2idnimbus_jose\+jwtMatch2.1.1

connect2idnimbus_jose\+jwtMatch2.2

connect2idnimbus_jose\+jwtMatch2.3

connect2idnimbus_jose\+jwtMatch2.4

connect2idnimbus_jose\+jwtMatch2.5

connect2idnimbus_jose\+jwtMatch2.6

connect2idnimbus_jose\+jwtMatch2.7

connect2idnimbus_jose\+jwtMatch2.8

connect2idnimbus_jose\+jwtMatch2.9

connect2idnimbus_jose\+jwtMatch2.10

connect2idnimbus_jose\+jwtMatch2.10.1

connect2idnimbus_jose\+jwtMatch2.11.0

connect2idnimbus_jose\+jwtMatch2.12.0

connect2idnimbus_jose\+jwtMatch2.13.0

connect2idnimbus_jose\+jwtMatch2.13.1

connect2idnimbus_jose\+jwtMatch2.14

connect2idnimbus_jose\+jwtMatch2.15

connect2idnimbus_jose\+jwtMatch2.15.1

connect2idnimbus_jose\+jwtMatch2.15.2

connect2idnimbus_jose\+jwtMatch2.16

connect2idnimbus_jose\+jwtMatch2.17

connect2idnimbus_jose\+jwtMatch2.17.1

connect2idnimbus_jose\+jwtMatch2.17.2

connect2idnimbus_jose\+jwtMatch2.18

connect2idnimbus_jose\+jwtMatch2.18.1

connect2idnimbus_jose\+jwtMatch2.18.2

connect2idnimbus_jose\+jwtMatch2.19

connect2idnimbus_jose\+jwtMatch2.19.1

connect2idnimbus_jose\+jwtMatch2.20

connect2idnimbus_jose\+jwtMatch2.21

connect2idnimbus_jose\+jwtMatch2.22

connect2idnimbus_jose\+jwtMatch2.22.1

connect2idnimbus_jose\+jwtMatch2.23

connect2idnimbus_jose\+jwtMatch2.24

connect2idnimbus_jose\+jwtMatch2.25

connect2idnimbus_jose\+jwtMatch2.26

connect2idnimbus_jose\+jwtMatch2.26.1

connect2idnimbus_jose\+jwtMatch3.0

connect2idnimbus_jose\+jwtMatch3.1

connect2idnimbus_jose\+jwtMatch3.1.1

connect2idnimbus_jose\+jwtMatch3.1.2

connect2idnimbus_jose\+jwtMatch3.2

connect2idnimbus_jose\+jwtMatch3.2.1

connect2idnimbus_jose\+jwtMatch3.2.2

connect2idnimbus_jose\+jwtMatch3.3

connect2idnimbus_jose\+jwtMatch3.4

connect2idnimbus_jose\+jwtMatch3.5

connect2idnimbus_jose\+jwtMatch3.6

connect2idnimbus_jose\+jwtMatch3.7

connect2idnimbus_jose\+jwtMatch3.8

connect2idnimbus_jose\+jwtMatch3.8.1

connect2idnimbus_jose\+jwtMatch3.8.2

connect2idnimbus_jose\+jwtMatch3.9

connect2idnimbus_jose\+jwtMatch3.9.1

connect2idnimbus_jose\+jwtMatch3.9.2

connect2idnimbus_jose\+jwtMatch3.10

connect2idnimbus_jose\+jwtMatch4.0

connect2idnimbus_jose\+jwtMatch4.0.1

connect2idnimbus_jose\+jwtMatch4.1

connect2idnimbus_jose\+jwtMatch4.1.1

connect2idnimbus_jose\+jwtMatch4.2

connect2idnimbus_jose\+jwtMatch4.3

connect2idnimbus_jose\+jwtMatch4.3.1

connect2idnimbus_jose\+jwtMatch4.4

connect2idnimbus_jose\+jwtMatch4.5

connect2idnimbus_jose\+jwtMatch4.6

connect2idnimbus_jose\+jwtMatch4.7

connect2idnimbus_jose\+jwtMatch4.8

connect2idnimbus_jose\+jwtMatch4.9

connect2idnimbus_jose\+jwtMatch4.10

connect2idnimbus_jose\+jwtMatch4.11

connect2idnimbus_jose\+jwtMatch4.11.1

connect2idnimbus_jose\+jwtMatch4.11.2

connect2idnimbus_jose\+jwtMatch4.12

connect2idnimbus_jose\+jwtMatch4.13

connect2idnimbus_jose\+jwtMatch4.13.1

connect2idnimbus_jose\+jwtMatch4.14

connect2idnimbus_jose\+jwtMatch4.15

connect2idnimbus_jose\+jwtMatch4.15.1

connect2idnimbus_jose\+jwtMatch4.16

connect2idnimbus_jose\+jwtMatch4.16.1

connect2idnimbus_jose\+jwtMatch4.16.2

connect2idnimbus_jose\+jwtMatch4.17

connect2idnimbus_jose\+jwtMatch4.18

connect2idnimbus_jose\+jwtMatch4.19

connect2idnimbus_jose\+jwtMatch4.20

connect2idnimbus_jose\+jwtMatch4.21

connect2idnimbus_jose\+jwtMatch4.22

connect2idnimbus_jose\+jwtMatch4.23

connect2idnimbus_jose\+jwtMatch4.24

connect2idnimbus_jose\+jwtMatch4.25

connect2idnimbus_jose\+jwtMatch4.26

connect2idnimbus_jose\+jwtMatch4.26.1

connect2idnimbus_jose\+jwtMatch4.27

connect2idnimbus_jose\+jwtMatch4.27.1

connect2idnimbus_jose\+jwtMatch4.28

connect2idnimbus_jose\+jwtMatch4.29

connect2idnimbus_jose\+jwtMatch4.30

connect2idnimbus_jose\+jwtMatch4.31

connect2idnimbus_jose\+jwtMatch4.31.1

connect2idnimbus_jose\+jwtMatch4.32

connect2idnimbus_jose\+jwtMatch4.33

connect2idnimbus_jose\+jwtMatch4.34

connect2idnimbus_jose\+jwtMatch4.34.1

connect2idnimbus_jose\+jwtMatch4.34.2

connect2idnimbus_jose\+jwtMatch4.35

connect2idnimbus_jose\+jwtMatch4.36.1

connect2idnimbus_jose\+jwtMatch4.37

connect2idnimbus_jose\+jwtMatch4.37.1

connect2idnimbus_jose\+jwtMatch4.38

CPENameOperatorVersion
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.0
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.1
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.2
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.3
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.4
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.5
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.6
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.7
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.8
connect2id:nimbus_jose\+jwtconnect2id nimbus jose+jwteq1.9

CPE	Name	Operator	Version
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.0
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.1
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.2
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.3
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.4
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.5
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.6
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.7
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.8
connect2id:nimbus_jose\+jwt	connect2id nimbus jose+jwt	eq	1.9

Rows per page:

1-10 of 1271

References

bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c

bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc

bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt

lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.6%

JSON

Related for CVE-2017-12972

veracode1 osv2 github1 prion1 cvelist1 nvd1 ibm8