nimbus-jose-jwt is vulnerable to padding oracle attacks. It does not act correctly if an invalid HMAC is detected in authenticated AES-CBC decryption.
CPE | Name | Operator | Version |
---|---|---|---|
nimbus jose+jwt | eq | 4.16 | |
nimbus jose+jwt | le | 4.38 | |
nimbus jose+jwt | le | 4.14 | |
nimbus jose+jwt | le | 2.22.1 |
bitbucket.org/connect2id/nimbus-jose-jwt/commits/6a29f10f723f406eb25555f55842c59a43a38912
bitbucket.org/connect2id/nimbus-jose-jwt/issues/223/aescbc-return-immediately-on-invalid-hmac
bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt?fileviewer=file-view-default