MidnightBSD

Advisories for connect2id

CVE-2017-12972 MEDIUM

In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-345,

Products Affected

Vendor Product Version
connect2id nimbus_jose+jwt 2.16
connect2id nimbus_jose+jwt 2.17
connect2id nimbus_jose+jwt 4.27
connect2id nimbus_jose+jwt 4.30
connect2id nimbus_jose+jwt 4.25
connect2id nimbus_jose+jwt 4.23
connect2id nimbus_jose+jwt 2.20
connect2id nimbus_jose+jwt 2.8
connect2id nimbus_jose+jwt 1.12
connect2id nimbus_jose+jwt 2.22
connect2id nimbus_jose+jwt 4.15.1
connect2id nimbus_jose+jwt 2.15.1
connect2id nimbus_jose+jwt 4.3.1
connect2id nimbus_jose+jwt 1.5
connect2id nimbus_jose+jwt 3.0
connect2id nimbus_jose+jwt 4.18
connect2id nimbus_jose+jwt 2.13.1
connect2id nimbus_jose+jwt 3.9.1
connect2id nimbus_jose+jwt 2.13.0
connect2id nimbus_jose+jwt 2.22.1
connect2id nimbus_jose+jwt 1.2
connect2id nimbus_jose+jwt 2.11.0
connect2id nimbus_jose+jwt 4.37.1
connect2id nimbus_jose+jwt 3.10
connect2id nimbus_jose+jwt 2.12.0
connect2id nimbus_jose+jwt 3.1.2
connect2id nimbus_jose+jwt 3.3
connect2id nimbus_jose+jwt 4.10
connect2id nimbus_jose+jwt 2.25
connect2id nimbus_jose+jwt 2.10
connect2id nimbus_jose+jwt 4.26.1
connect2id nimbus_jose+jwt 4.7
connect2id nimbus_jose+jwt 4.12
connect2id nimbus_jose+jwt 4.19
connect2id nimbus_jose+jwt 1.4
connect2id nimbus_jose+jwt 2.18
connect2id nimbus_jose+jwt 2.24
connect2id nimbus_jose+jwt 2.4
connect2id nimbus_jose+jwt 4.32
connect2id nimbus_jose+jwt 3.2.2
connect2id nimbus_jose+jwt 3.9.2
connect2id nimbus_jose+jwt 4.11.1
connect2id nimbus_jose+jwt 2.0
connect2id nimbus_jose+jwt 4.22
connect2id nimbus_jose+jwt 4.11
connect2id nimbus_jose+jwt 1.8
connect2id nimbus_jose+jwt 4.6
connect2id nimbus_jose+jwt 1.9
connect2id nimbus_jose+jwt 4.20
connect2id nimbus_jose+jwt 3.8.2
connect2id nimbus_jose+jwt 4.1
connect2id nimbus_jose+jwt 4.21
connect2id nimbus_jose+jwt 4.0
connect2id nimbus_jose+jwt 4.33
connect2id nimbus_jose+jwt 4.2
connect2id nimbus_jose+jwt 2.18.1
connect2id nimbus_jose+jwt 2.14
connect2id nimbus_jose+jwt 4.4
connect2id nimbus_jose+jwt 4.37
connect2id nimbus_jose+jwt 1.1
connect2id nimbus_jose+jwt 4.34.1
connect2id nimbus_jose+jwt 3.5
connect2id nimbus_jose+jwt 3.2.1
connect2id nimbus_jose+jwt 2.7
connect2id nimbus_jose+jwt 2.26.1
connect2id nimbus_jose+jwt 4.0.1
connect2id nimbus_jose+jwt 4.38
connect2id nimbus_jose+jwt 4.16.1
connect2id nimbus_jose+jwt 2.5
connect2id nimbus_jose+jwt 4.15
connect2id nimbus_jose+jwt 4.28
connect2id nimbus_jose+jwt 4.36.1
connect2id nimbus_jose+jwt 1.7
connect2id nimbus_jose+jwt 4.13
connect2id nimbus_jose+jwt 4.31
connect2id nimbus_jose+jwt 2.10.1
connect2id nimbus_jose+jwt 3.7
connect2id nimbus_jose+jwt 4.31.1
connect2id nimbus_jose+jwt 4.14
connect2id nimbus_jose+jwt 4.8
connect2id nimbus_jose+jwt 4.13.1
connect2id nimbus_jose+jwt 2.1.1
connect2id nimbus_jose+jwt 1.9.1
connect2id nimbus_jose+jwt 2.6
connect2id nimbus_jose+jwt 3.2
connect2id nimbus_jose+jwt 3.6
connect2id nimbus_jose+jwt 2.19.1
connect2id nimbus_jose+jwt 2.21
connect2id nimbus_jose+jwt 4.16.2
connect2id nimbus_jose+jwt 2.0.1
connect2id nimbus_jose+jwt 2.23
connect2id nimbus_jose+jwt 4.24
connect2id nimbus_jose+jwt 1.11
connect2id nimbus_jose+jwt 4.3
connect2id nimbus_jose+jwt 4.9
connect2id nimbus_jose+jwt 2.1
connect2id nimbus_jose+jwt 4.11.2
connect2id nimbus_jose+jwt 3.9
connect2id nimbus_jose+jwt 3.1
connect2id nimbus_jose+jwt 3.8
connect2id nimbus_jose+jwt 4.34
connect2id nimbus_jose+jwt 2.15
connect2id nimbus_jose+jwt 2.18.2
connect2id nimbus_jose+jwt 2.19
connect2id nimbus_jose+jwt 3.4
connect2id nimbus_jose+jwt 4.1.1
connect2id nimbus_jose+jwt 2.17.1
connect2id nimbus_jose+jwt 4.27.1
connect2id nimbus_jose+jwt 4.34.2
connect2id nimbus_jose+jwt 4.5
connect2id nimbus_jose+jwt 1.3
connect2id nimbus_jose+jwt 3.1.1
connect2id nimbus_jose+jwt 2.2
connect2id nimbus_jose+jwt 2.26
connect2id nimbus_jose+jwt 4.29
connect2id nimbus_jose+jwt 1.6
connect2id nimbus_jose+jwt 2.9
connect2id nimbus_jose+jwt 4.16
connect2id nimbus_jose+jwt 4.35
connect2id nimbus_jose+jwt 4.26
connect2id nimbus_jose+jwt 3.8.1
connect2id nimbus_jose+jwt 1.0
connect2id nimbus_jose+jwt 4.17
connect2id nimbus_jose+jwt 1.10
connect2id nimbus_jose+jwt 2.17.2
connect2id nimbus_jose+jwt 2.15.2
connect2id nimbus_jose+jwt 2.3
CVE-2017-12973 MEDIUM

Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-354,

Products Affected

Vendor Product Version
connect2id nimbus_jose+jwt 2.16
connect2id nimbus_jose+jwt 2.17
connect2id nimbus_jose+jwt 4.27
connect2id nimbus_jose+jwt 4.30
connect2id nimbus_jose+jwt 4.25
connect2id nimbus_jose+jwt 4.23
connect2id nimbus_jose+jwt 2.20
connect2id nimbus_jose+jwt 2.8
connect2id nimbus_jose+jwt 1.12
connect2id nimbus_jose+jwt 2.22
connect2id nimbus_jose+jwt 4.15.1
connect2id nimbus_jose+jwt 2.15.1
connect2id nimbus_jose+jwt 4.3.1
connect2id nimbus_jose+jwt 1.5
connect2id nimbus_jose+jwt 3.0
connect2id nimbus_jose+jwt 4.18
connect2id nimbus_jose+jwt 2.13.1
connect2id nimbus_jose+jwt 3.9.1
connect2id nimbus_jose+jwt 2.13.0
connect2id nimbus_jose+jwt 2.22.1
connect2id nimbus_jose+jwt 1.2
connect2id nimbus_jose+jwt 2.11.0
connect2id nimbus_jose+jwt 4.37.1
connect2id nimbus_jose+jwt 3.10
connect2id nimbus_jose+jwt 2.12.0
connect2id nimbus_jose+jwt 3.1.2
connect2id nimbus_jose+jwt 3.3
connect2id nimbus_jose+jwt 4.10
connect2id nimbus_jose+jwt 2.25
connect2id nimbus_jose+jwt 2.10
connect2id nimbus_jose+jwt 4.26.1
connect2id nimbus_jose+jwt 4.7
connect2id nimbus_jose+jwt 4.12
connect2id nimbus_jose+jwt 4.19
connect2id nimbus_jose+jwt 1.4
connect2id nimbus_jose+jwt 2.18
connect2id nimbus_jose+jwt 2.24
connect2id nimbus_jose+jwt 2.4
connect2id nimbus_jose+jwt 4.32
connect2id nimbus_jose+jwt 3.2.2
connect2id nimbus_jose+jwt 3.9.2
connect2id nimbus_jose+jwt 4.11.1
connect2id nimbus_jose+jwt 2.0
connect2id nimbus_jose+jwt 4.22
connect2id nimbus_jose+jwt 4.11
connect2id nimbus_jose+jwt 1.8
connect2id nimbus_jose+jwt 4.6
connect2id nimbus_jose+jwt 1.9
connect2id nimbus_jose+jwt 4.20
connect2id nimbus_jose+jwt 3.8.2
connect2id nimbus_jose+jwt 4.1
connect2id nimbus_jose+jwt 4.21
connect2id nimbus_jose+jwt 4.0
connect2id nimbus_jose+jwt 4.33
connect2id nimbus_jose+jwt 4.2
connect2id nimbus_jose+jwt 2.18.1
connect2id nimbus_jose+jwt 2.14
connect2id nimbus_jose+jwt 4.4
connect2id nimbus_jose+jwt 4.37
connect2id nimbus_jose+jwt 1.1
connect2id nimbus_jose+jwt 4.34.1
connect2id nimbus_jose+jwt 3.5
connect2id nimbus_jose+jwt 3.2.1
connect2id nimbus_jose+jwt 2.7
connect2id nimbus_jose+jwt 2.26.1
connect2id nimbus_jose+jwt 4.0.1
connect2id nimbus_jose+jwt 4.38
connect2id nimbus_jose+jwt 4.16.1
connect2id nimbus_jose+jwt 2.5
connect2id nimbus_jose+jwt 4.15
connect2id nimbus_jose+jwt 4.28
connect2id nimbus_jose+jwt 4.36.1
connect2id nimbus_jose+jwt 1.7
connect2id nimbus_jose+jwt 4.13
connect2id nimbus_jose+jwt 4.31
connect2id nimbus_jose+jwt 2.10.1
connect2id nimbus_jose+jwt 3.7
connect2id nimbus_jose+jwt 4.31.1
connect2id nimbus_jose+jwt 4.14
connect2id nimbus_jose+jwt 4.8
connect2id nimbus_jose+jwt 4.13.1
connect2id nimbus_jose+jwt 2.1.1
connect2id nimbus_jose+jwt 1.9.1
connect2id nimbus_jose+jwt 2.6
connect2id nimbus_jose+jwt 3.2
connect2id nimbus_jose+jwt 3.6
connect2id nimbus_jose+jwt 2.19.1
connect2id nimbus_jose+jwt 2.21
connect2id nimbus_jose+jwt 4.16.2
connect2id nimbus_jose+jwt 2.0.1
connect2id nimbus_jose+jwt 2.23
connect2id nimbus_jose+jwt 4.24
connect2id nimbus_jose+jwt 1.11
connect2id nimbus_jose+jwt 4.3
connect2id nimbus_jose+jwt 4.9
connect2id nimbus_jose+jwt 2.1
connect2id nimbus_jose+jwt 4.11.2
connect2id nimbus_jose+jwt 3.9
connect2id nimbus_jose+jwt 3.1
connect2id nimbus_jose+jwt 3.8
connect2id nimbus_jose+jwt 4.34
connect2id nimbus_jose+jwt 2.15
connect2id nimbus_jose+jwt 2.18.2
connect2id nimbus_jose+jwt 2.19
connect2id nimbus_jose+jwt 3.4
connect2id nimbus_jose+jwt 4.1.1
connect2id nimbus_jose+jwt 2.17.1
connect2id nimbus_jose+jwt 4.27.1
connect2id nimbus_jose+jwt 4.34.2
connect2id nimbus_jose+jwt 4.5
connect2id nimbus_jose+jwt 1.3
connect2id nimbus_jose+jwt 3.1.1
connect2id nimbus_jose+jwt 2.2
connect2id nimbus_jose+jwt 2.26
connect2id nimbus_jose+jwt 4.29
connect2id nimbus_jose+jwt 1.6
connect2id nimbus_jose+jwt 2.9
connect2id nimbus_jose+jwt 4.16
connect2id nimbus_jose+jwt 4.35
connect2id nimbus_jose+jwt 4.26
connect2id nimbus_jose+jwt 3.8.1
connect2id nimbus_jose+jwt 1.0
connect2id nimbus_jose+jwt 4.17
connect2id nimbus_jose+jwt 1.10
connect2id nimbus_jose+jwt 2.17.2
connect2id nimbus_jose+jwt 2.15.2
connect2id nimbus_jose+jwt 2.3
CVE-2017-12974 MEDIUM

Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
connect2id nimbus_jose+jwt 2.16
connect2id nimbus_jose+jwt 2.17
connect2id nimbus_jose+jwt 4.27
connect2id nimbus_jose+jwt 4.30
connect2id nimbus_jose+jwt 4.25
connect2id nimbus_jose+jwt 4.23
connect2id nimbus_jose+jwt 2.20
connect2id nimbus_jose+jwt 2.8
connect2id nimbus_jose+jwt 1.12
connect2id nimbus_jose+jwt 2.22
connect2id nimbus_jose+jwt 4.15.1
connect2id nimbus_jose+jwt 2.15.1
connect2id nimbus_jose+jwt 4.3.1
connect2id nimbus_jose+jwt 1.5
connect2id nimbus_jose+jwt 3.0
connect2id nimbus_jose+jwt 4.18
connect2id nimbus_jose+jwt 2.13.1
connect2id nimbus_jose+jwt 3.9.1
connect2id nimbus_jose+jwt 2.13.0
connect2id nimbus_jose+jwt 2.22.1
connect2id nimbus_jose+jwt 1.2
connect2id nimbus_jose+jwt 2.11.0
connect2id nimbus_jose+jwt 3.10
connect2id nimbus_jose+jwt 2.12.0
connect2id nimbus_jose+jwt 3.1.2
connect2id nimbus_jose+jwt 3.3
connect2id nimbus_jose+jwt 4.10
connect2id nimbus_jose+jwt 2.25
connect2id nimbus_jose+jwt 2.10
connect2id nimbus_jose+jwt 4.26.1
connect2id nimbus_jose+jwt 4.7
connect2id nimbus_jose+jwt 4.12
connect2id nimbus_jose+jwt 4.19
connect2id nimbus_jose+jwt 1.4
connect2id nimbus_jose+jwt 2.18
connect2id nimbus_jose+jwt 2.24
connect2id nimbus_jose+jwt 2.4
connect2id nimbus_jose+jwt 4.32
connect2id nimbus_jose+jwt 3.2.2
connect2id nimbus_jose+jwt 3.9.2
connect2id nimbus_jose+jwt 4.11.1
connect2id nimbus_jose+jwt 2.0
connect2id nimbus_jose+jwt 4.22
connect2id nimbus_jose+jwt 4.11
connect2id nimbus_jose+jwt 1.8
connect2id nimbus_jose+jwt 4.6
connect2id nimbus_jose+jwt 1.9
connect2id nimbus_jose+jwt 4.20
connect2id nimbus_jose+jwt 3.8.2
connect2id nimbus_jose+jwt 4.1
connect2id nimbus_jose+jwt 4.21
connect2id nimbus_jose+jwt 4.0
connect2id nimbus_jose+jwt 4.33
connect2id nimbus_jose+jwt 4.2
connect2id nimbus_jose+jwt 2.18.1
connect2id nimbus_jose+jwt 2.14
connect2id nimbus_jose+jwt 4.4
connect2id nimbus_jose+jwt 1.1
connect2id nimbus_jose+jwt 4.34.1
connect2id nimbus_jose+jwt 3.5
connect2id nimbus_jose+jwt 3.2.1
connect2id nimbus_jose+jwt 2.7
connect2id nimbus_jose+jwt 2.26.1
connect2id nimbus_jose+jwt 4.0.1
connect2id nimbus_jose+jwt 4.16.1
connect2id nimbus_jose+jwt 2.5
connect2id nimbus_jose+jwt 4.15
connect2id nimbus_jose+jwt 4.28
connect2id nimbus_jose+jwt 1.7
connect2id nimbus_jose+jwt 4.13
connect2id nimbus_jose+jwt 4.31
connect2id nimbus_jose+jwt 2.10.1
connect2id nimbus_jose+jwt 3.7
connect2id nimbus_jose+jwt 4.31.1
connect2id nimbus_jose+jwt 4.14
connect2id nimbus_jose+jwt 4.8
connect2id nimbus_jose+jwt 4.13.1
connect2id nimbus_jose+jwt 2.1.1
connect2id nimbus_jose+jwt 1.9.1
connect2id nimbus_jose+jwt 2.6
connect2id nimbus_jose+jwt 3.2
connect2id nimbus_jose+jwt 3.6
connect2id nimbus_jose+jwt 2.19.1
connect2id nimbus_jose+jwt 2.21
connect2id nimbus_jose+jwt 4.16.2
connect2id nimbus_jose+jwt 2.0.1
connect2id nimbus_jose+jwt 2.23
connect2id nimbus_jose+jwt 4.24
connect2id nimbus_jose+jwt 1.11
connect2id nimbus_jose+jwt 4.3
connect2id nimbus_jose+jwt 4.9
connect2id nimbus_jose+jwt 2.1
connect2id nimbus_jose+jwt 4.11.2
connect2id nimbus_jose+jwt 3.9
connect2id nimbus_jose+jwt 3.1
connect2id nimbus_jose+jwt 3.8
connect2id nimbus_jose+jwt 4.34
connect2id nimbus_jose+jwt 2.15
connect2id nimbus_jose+jwt 2.18.2
connect2id nimbus_jose+jwt 2.19
connect2id nimbus_jose+jwt 3.4
connect2id nimbus_jose+jwt 4.1.1
connect2id nimbus_jose+jwt 2.17.1
connect2id nimbus_jose+jwt 4.27.1
connect2id nimbus_jose+jwt 4.34.2
connect2id nimbus_jose+jwt 4.5
connect2id nimbus_jose+jwt 1.3
connect2id nimbus_jose+jwt 3.1.1
connect2id nimbus_jose+jwt 2.2
connect2id nimbus_jose+jwt 2.26
connect2id nimbus_jose+jwt 4.29
connect2id nimbus_jose+jwt 1.6
connect2id nimbus_jose+jwt 2.9
connect2id nimbus_jose+jwt 4.16
connect2id nimbus_jose+jwt 4.35
connect2id nimbus_jose+jwt 4.26
connect2id nimbus_jose+jwt 3.8.1
connect2id nimbus_jose+jwt 1.0
connect2id nimbus_jose+jwt 4.17
connect2id nimbus_jose+jwt 1.10
connect2id nimbus_jose+jwt 2.17.2
connect2id nimbus_jose+jwt 2.15.2
connect2id nimbus_jose+jwt 2.3
CVE-2019-17195 MEDIUM

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
oracle communications_pricing_design_center 12.0.0.3.0
apache hadoop 3.2.1
oracle enterprise_manager_base_platform 13.4.0.0
oracle solaris_cluster 4.0
oracle jd_edwards_enterpriseone_orchestrator *
oracle insurance_policy_administration *
connect2id nimbus_jose+jwt *
oracle peoplesoft_enterprise_peopletools 8.59
oracle healthcare_data_repository 8.1.0
oracle peoplesoft_enterprise_peopletools 8.58
oracle communications_cloud_native_core_security_edge_protection_proxy 1.7.0
oracle data_integrator 12.2.1.4.0
oracle policy_automation *
oracle weblogic_server 12.2.1.3.0
oracle primavera_gateway 19.12.0
oracle primavera_gateway *
oracle weblogic_server 12.2.1.4.0
oracle jd_edwards_enterpriseone_tools *
CVE-2023-52428

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Products Affected

Vendor Product Version
connect2id nimbus_jose+jwt *