Multiple vulnerabilities exist in the Nimbus-JOSE-JWT used by IBM Spectrum Symphony V7.3 and V7.2.1. Interim fixes that provide instructions on upgrading the nimbus-jose-jwt package to version 8.10 are available on IBM Fix Central.
CVEID:CVE-2017-12974
**DESCRIPTION:**Connect2id Nimbus JOSE+JWT could provide weaker than expected security, caused by proceeding with ECKey construction without ensuring that the public x and y coordinates are on the specified curve. A remote attacker could exploit this vulnerability to conduct an Invalid Curve Attack.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/130788 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2017-12972
**DESCRIPTION:**Connect2id Nimbus JOSE+JWT could provide weaker than expected security, caused by the lack of integer-overflow check when converting length values from bytes to bits. A remote attacker could exploit this vulnerability to conduct a HMAC bypass attack.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/130790 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2017-16007
**DESCRIPTION:**Node.js node-jose module could allow a remote attacker to obtain sensitive information, caused by a flaw when JWE with Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static (ECDH-ES) is used. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to recover the private secret key.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148284 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Spectrum Symphony | 7.3 |
IBM Spectrum Symphony | 7.2.1 |
IBM Spectrum Symphony 7.3 | sym-7.3-build544084 |
---|---|
IBM Spectrum Symphony 7.2.1 | sym-7.2.1-build544081 |
None
CPE | Name | Operator | Version |
---|---|---|---|
platform symphony | eq | 7.3 | |
platform symphony | eq | 7.2.1 |