Lucene search
GoogleOSV:CVE-2017-12972HistoryAug 20, 2017 - 4:29 p.m.
CVE-2017-12972
2017-08-2016:29:00
Google
osv.dev
4
In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.
References
bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c
bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc
bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
Related
veracode
veracode
Authentication Bypass
2017-08-21 01:57:01
cve
cve
CVE-2017-12972
2017-08-20 16:29:00
osv
osv
Nimbus JOSE+JWT missing overflow check
2022-05-13 01:30:32
github
github
Nimbus JOSE+JWT missing overflow check
2022-05-13 01:30:32
prion
prion
Integer overflow
2017-08-20 16:29:00
nvd
nvd
CVE-2017-12972
2017-08-20 16:29:00
cvelist
cvelist
CVE-2017-12972
2017-08-20 16:00:00
