Invalid Elliptic Curve Attack Affecting com.nimbusds:nimbus-jose-jwt package, versions [,4.36)

Attack Complexity

Low
Confidentiality

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-JAVA-COMNIMBUSDS-31558
published

5 Nov 2017
disclosed

12 Apr 2017
credit

Unkown

Report a new vulnerability Found a mistake?

Introduced: 12 Apr 2017

CVE-2017-12974 Open this link in a new tab CWE-310 Open this link in a new tab

How to fix?

Upgrade com.nimbusds:nimbus-jose-jwt to version 4.36 or higher.

Overview

com.nimbusds:nimbus-jose-jwt is a Java library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT).

Affected versions of the package are vulnerable to an Invalid Elliptic Curve Attack.

Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

Invalid Elliptic Curve Attack Affecting com.nimbusds:nimbus-jose-jwt package, versions [,4.36)

Attack Complexity

Confidentiality

snyk-id

published

disclosed

credit

Introduced: 12 Apr 2017

How to fix?

Overview

References