Homepage
About Snyk

Invalid Elliptic Curve Attack Affecting com.nimbusds:nimbus-jose-jwt package, versions [,4.36)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.18% (57th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-COMNIMBUSDS-31558
  • published 5 Nov 2017
  • disclosed 12 Apr 2017
  • credit Unkown
Report a new vulnerability Found a mistake?

Introduced: 12 Apr 2017

CVE-2017-12974 Open this link in a new tab
CWE-310 Open this link in a new tab

How to fix?

Upgrade com.nimbusds:nimbus-jose-jwt to version 4.36 or higher.

Overview

com.nimbusds:nimbus-jose-jwt is a Java library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT).

Affected versions of the package are vulnerable to an Invalid Elliptic Curve Attack.

Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None