In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-345,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| connect2id | nimbus_jose+jwt | 2.16 |
| connect2id | nimbus_jose+jwt | 2.17 |
| connect2id | nimbus_jose+jwt | 4.27 |
| connect2id | nimbus_jose+jwt | 4.30 |
| connect2id | nimbus_jose+jwt | 4.25 |
| connect2id | nimbus_jose+jwt | 4.23 |
| connect2id | nimbus_jose+jwt | 2.20 |
| connect2id | nimbus_jose+jwt | 2.8 |
| connect2id | nimbus_jose+jwt | 1.12 |
| connect2id | nimbus_jose+jwt | 2.22 |
| connect2id | nimbus_jose+jwt | 4.15.1 |
| connect2id | nimbus_jose+jwt | 2.15.1 |
| connect2id | nimbus_jose+jwt | 4.3.1 |
| connect2id | nimbus_jose+jwt | 1.5 |
| connect2id | nimbus_jose+jwt | 3.0 |
| connect2id | nimbus_jose+jwt | 4.18 |
| connect2id | nimbus_jose+jwt | 2.13.1 |
| connect2id | nimbus_jose+jwt | 3.9.1 |
| connect2id | nimbus_jose+jwt | 2.13.0 |
| connect2id | nimbus_jose+jwt | 2.22.1 |
| connect2id | nimbus_jose+jwt | 1.2 |
| connect2id | nimbus_jose+jwt | 2.11.0 |
| connect2id | nimbus_jose+jwt | 4.37.1 |
| connect2id | nimbus_jose+jwt | 3.10 |
| connect2id | nimbus_jose+jwt | 2.12.0 |
| connect2id | nimbus_jose+jwt | 3.1.2 |
| connect2id | nimbus_jose+jwt | 3.3 |
| connect2id | nimbus_jose+jwt | 4.10 |
| connect2id | nimbus_jose+jwt | 2.25 |
| connect2id | nimbus_jose+jwt | 2.10 |
| connect2id | nimbus_jose+jwt | 4.26.1 |
| connect2id | nimbus_jose+jwt | 4.7 |
| connect2id | nimbus_jose+jwt | 4.12 |
| connect2id | nimbus_jose+jwt | 4.19 |
| connect2id | nimbus_jose+jwt | 1.4 |
| connect2id | nimbus_jose+jwt | 2.18 |
| connect2id | nimbus_jose+jwt | 2.24 |
| connect2id | nimbus_jose+jwt | 2.4 |
| connect2id | nimbus_jose+jwt | 4.32 |
| connect2id | nimbus_jose+jwt | 3.2.2 |
| connect2id | nimbus_jose+jwt | 3.9.2 |
| connect2id | nimbus_jose+jwt | 4.11.1 |
| connect2id | nimbus_jose+jwt | 2.0 |
| connect2id | nimbus_jose+jwt | 4.22 |
| connect2id | nimbus_jose+jwt | 4.11 |
| connect2id | nimbus_jose+jwt | 1.8 |
| connect2id | nimbus_jose+jwt | 4.6 |
| connect2id | nimbus_jose+jwt | 1.9 |
| connect2id | nimbus_jose+jwt | 4.20 |
| connect2id | nimbus_jose+jwt | 3.8.2 |
| connect2id | nimbus_jose+jwt | 4.1 |
| connect2id | nimbus_jose+jwt | 4.21 |
| connect2id | nimbus_jose+jwt | 4.0 |
| connect2id | nimbus_jose+jwt | 4.33 |
| connect2id | nimbus_jose+jwt | 4.2 |
| connect2id | nimbus_jose+jwt | 2.18.1 |
| connect2id | nimbus_jose+jwt | 2.14 |
| connect2id | nimbus_jose+jwt | 4.4 |
| connect2id | nimbus_jose+jwt | 4.37 |
| connect2id | nimbus_jose+jwt | 1.1 |
| connect2id | nimbus_jose+jwt | 4.34.1 |
| connect2id | nimbus_jose+jwt | 3.5 |
| connect2id | nimbus_jose+jwt | 3.2.1 |
| connect2id | nimbus_jose+jwt | 2.7 |
| connect2id | nimbus_jose+jwt | 2.26.1 |
| connect2id | nimbus_jose+jwt | 4.0.1 |
| connect2id | nimbus_jose+jwt | 4.38 |
| connect2id | nimbus_jose+jwt | 4.16.1 |
| connect2id | nimbus_jose+jwt | 2.5 |
| connect2id | nimbus_jose+jwt | 4.15 |
| connect2id | nimbus_jose+jwt | 4.28 |
| connect2id | nimbus_jose+jwt | 4.36.1 |
| connect2id | nimbus_jose+jwt | 1.7 |
| connect2id | nimbus_jose+jwt | 4.13 |
| connect2id | nimbus_jose+jwt | 4.31 |
| connect2id | nimbus_jose+jwt | 2.10.1 |
| connect2id | nimbus_jose+jwt | 3.7 |
| connect2id | nimbus_jose+jwt | 4.31.1 |
| connect2id | nimbus_jose+jwt | 4.14 |
| connect2id | nimbus_jose+jwt | 4.8 |
| connect2id | nimbus_jose+jwt | 4.13.1 |
| connect2id | nimbus_jose+jwt | 2.1.1 |
| connect2id | nimbus_jose+jwt | 1.9.1 |
| connect2id | nimbus_jose+jwt | 2.6 |
| connect2id | nimbus_jose+jwt | 3.2 |
| connect2id | nimbus_jose+jwt | 3.6 |
| connect2id | nimbus_jose+jwt | 2.19.1 |
| connect2id | nimbus_jose+jwt | 2.21 |
| connect2id | nimbus_jose+jwt | 4.16.2 |
| connect2id | nimbus_jose+jwt | 2.0.1 |
| connect2id | nimbus_jose+jwt | 2.23 |
| connect2id | nimbus_jose+jwt | 4.24 |
| connect2id | nimbus_jose+jwt | 1.11 |
| connect2id | nimbus_jose+jwt | 4.3 |
| connect2id | nimbus_jose+jwt | 4.9 |
| connect2id | nimbus_jose+jwt | 2.1 |
| connect2id | nimbus_jose+jwt | 4.11.2 |
| connect2id | nimbus_jose+jwt | 3.9 |
| connect2id | nimbus_jose+jwt | 3.1 |
| connect2id | nimbus_jose+jwt | 3.8 |
| connect2id | nimbus_jose+jwt | 4.34 |
| connect2id | nimbus_jose+jwt | 2.15 |
| connect2id | nimbus_jose+jwt | 2.18.2 |
| connect2id | nimbus_jose+jwt | 2.19 |
| connect2id | nimbus_jose+jwt | 3.4 |
| connect2id | nimbus_jose+jwt | 4.1.1 |
| connect2id | nimbus_jose+jwt | 2.17.1 |
| connect2id | nimbus_jose+jwt | 4.27.1 |
| connect2id | nimbus_jose+jwt | 4.34.2 |
| connect2id | nimbus_jose+jwt | 4.5 |
| connect2id | nimbus_jose+jwt | 1.3 |
| connect2id | nimbus_jose+jwt | 3.1.1 |
| connect2id | nimbus_jose+jwt | 2.2 |
| connect2id | nimbus_jose+jwt | 2.26 |
| connect2id | nimbus_jose+jwt | 4.29 |
| connect2id | nimbus_jose+jwt | 1.6 |
| connect2id | nimbus_jose+jwt | 2.9 |
| connect2id | nimbus_jose+jwt | 4.16 |
| connect2id | nimbus_jose+jwt | 4.35 |
| connect2id | nimbus_jose+jwt | 4.26 |
| connect2id | nimbus_jose+jwt | 3.8.1 |
| connect2id | nimbus_jose+jwt | 1.0 |
| connect2id | nimbus_jose+jwt | 4.17 |
| connect2id | nimbus_jose+jwt | 1.10 |
| connect2id | nimbus_jose+jwt | 2.17.2 |
| connect2id | nimbus_jose+jwt | 2.15.2 |
| connect2id | nimbus_jose+jwt | 2.3 |
Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-354,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| connect2id | nimbus_jose+jwt | 2.16 |
| connect2id | nimbus_jose+jwt | 2.17 |
| connect2id | nimbus_jose+jwt | 4.27 |
| connect2id | nimbus_jose+jwt | 4.30 |
| connect2id | nimbus_jose+jwt | 4.25 |
| connect2id | nimbus_jose+jwt | 4.23 |
| connect2id | nimbus_jose+jwt | 2.20 |
| connect2id | nimbus_jose+jwt | 2.8 |
| connect2id | nimbus_jose+jwt | 1.12 |
| connect2id | nimbus_jose+jwt | 2.22 |
| connect2id | nimbus_jose+jwt | 4.15.1 |
| connect2id | nimbus_jose+jwt | 2.15.1 |
| connect2id | nimbus_jose+jwt | 4.3.1 |
| connect2id | nimbus_jose+jwt | 1.5 |
| connect2id | nimbus_jose+jwt | 3.0 |
| connect2id | nimbus_jose+jwt | 4.18 |
| connect2id | nimbus_jose+jwt | 2.13.1 |
| connect2id | nimbus_jose+jwt | 3.9.1 |
| connect2id | nimbus_jose+jwt | 2.13.0 |
| connect2id | nimbus_jose+jwt | 2.22.1 |
| connect2id | nimbus_jose+jwt | 1.2 |
| connect2id | nimbus_jose+jwt | 2.11.0 |
| connect2id | nimbus_jose+jwt | 4.37.1 |
| connect2id | nimbus_jose+jwt | 3.10 |
| connect2id | nimbus_jose+jwt | 2.12.0 |
| connect2id | nimbus_jose+jwt | 3.1.2 |
| connect2id | nimbus_jose+jwt | 3.3 |
| connect2id | nimbus_jose+jwt | 4.10 |
| connect2id | nimbus_jose+jwt | 2.25 |
| connect2id | nimbus_jose+jwt | 2.10 |
| connect2id | nimbus_jose+jwt | 4.26.1 |
| connect2id | nimbus_jose+jwt | 4.7 |
| connect2id | nimbus_jose+jwt | 4.12 |
| connect2id | nimbus_jose+jwt | 4.19 |
| connect2id | nimbus_jose+jwt | 1.4 |
| connect2id | nimbus_jose+jwt | 2.18 |
| connect2id | nimbus_jose+jwt | 2.24 |
| connect2id | nimbus_jose+jwt | 2.4 |
| connect2id | nimbus_jose+jwt | 4.32 |
| connect2id | nimbus_jose+jwt | 3.2.2 |
| connect2id | nimbus_jose+jwt | 3.9.2 |
| connect2id | nimbus_jose+jwt | 4.11.1 |
| connect2id | nimbus_jose+jwt | 2.0 |
| connect2id | nimbus_jose+jwt | 4.22 |
| connect2id | nimbus_jose+jwt | 4.11 |
| connect2id | nimbus_jose+jwt | 1.8 |
| connect2id | nimbus_jose+jwt | 4.6 |
| connect2id | nimbus_jose+jwt | 1.9 |
| connect2id | nimbus_jose+jwt | 4.20 |
| connect2id | nimbus_jose+jwt | 3.8.2 |
| connect2id | nimbus_jose+jwt | 4.1 |
| connect2id | nimbus_jose+jwt | 4.21 |
| connect2id | nimbus_jose+jwt | 4.0 |
| connect2id | nimbus_jose+jwt | 4.33 |
| connect2id | nimbus_jose+jwt | 4.2 |
| connect2id | nimbus_jose+jwt | 2.18.1 |
| connect2id | nimbus_jose+jwt | 2.14 |
| connect2id | nimbus_jose+jwt | 4.4 |
| connect2id | nimbus_jose+jwt | 4.37 |
| connect2id | nimbus_jose+jwt | 1.1 |
| connect2id | nimbus_jose+jwt | 4.34.1 |
| connect2id | nimbus_jose+jwt | 3.5 |
| connect2id | nimbus_jose+jwt | 3.2.1 |
| connect2id | nimbus_jose+jwt | 2.7 |
| connect2id | nimbus_jose+jwt | 2.26.1 |
| connect2id | nimbus_jose+jwt | 4.0.1 |
| connect2id | nimbus_jose+jwt | 4.38 |
| connect2id | nimbus_jose+jwt | 4.16.1 |
| connect2id | nimbus_jose+jwt | 2.5 |
| connect2id | nimbus_jose+jwt | 4.15 |
| connect2id | nimbus_jose+jwt | 4.28 |
| connect2id | nimbus_jose+jwt | 4.36.1 |
| connect2id | nimbus_jose+jwt | 1.7 |
| connect2id | nimbus_jose+jwt | 4.13 |
| connect2id | nimbus_jose+jwt | 4.31 |
| connect2id | nimbus_jose+jwt | 2.10.1 |
| connect2id | nimbus_jose+jwt | 3.7 |
| connect2id | nimbus_jose+jwt | 4.31.1 |
| connect2id | nimbus_jose+jwt | 4.14 |
| connect2id | nimbus_jose+jwt | 4.8 |
| connect2id | nimbus_jose+jwt | 4.13.1 |
| connect2id | nimbus_jose+jwt | 2.1.1 |
| connect2id | nimbus_jose+jwt | 1.9.1 |
| connect2id | nimbus_jose+jwt | 2.6 |
| connect2id | nimbus_jose+jwt | 3.2 |
| connect2id | nimbus_jose+jwt | 3.6 |
| connect2id | nimbus_jose+jwt | 2.19.1 |
| connect2id | nimbus_jose+jwt | 2.21 |
| connect2id | nimbus_jose+jwt | 4.16.2 |
| connect2id | nimbus_jose+jwt | 2.0.1 |
| connect2id | nimbus_jose+jwt | 2.23 |
| connect2id | nimbus_jose+jwt | 4.24 |
| connect2id | nimbus_jose+jwt | 1.11 |
| connect2id | nimbus_jose+jwt | 4.3 |
| connect2id | nimbus_jose+jwt | 4.9 |
| connect2id | nimbus_jose+jwt | 2.1 |
| connect2id | nimbus_jose+jwt | 4.11.2 |
| connect2id | nimbus_jose+jwt | 3.9 |
| connect2id | nimbus_jose+jwt | 3.1 |
| connect2id | nimbus_jose+jwt | 3.8 |
| connect2id | nimbus_jose+jwt | 4.34 |
| connect2id | nimbus_jose+jwt | 2.15 |
| connect2id | nimbus_jose+jwt | 2.18.2 |
| connect2id | nimbus_jose+jwt | 2.19 |
| connect2id | nimbus_jose+jwt | 3.4 |
| connect2id | nimbus_jose+jwt | 4.1.1 |
| connect2id | nimbus_jose+jwt | 2.17.1 |
| connect2id | nimbus_jose+jwt | 4.27.1 |
| connect2id | nimbus_jose+jwt | 4.34.2 |
| connect2id | nimbus_jose+jwt | 4.5 |
| connect2id | nimbus_jose+jwt | 1.3 |
| connect2id | nimbus_jose+jwt | 3.1.1 |
| connect2id | nimbus_jose+jwt | 2.2 |
| connect2id | nimbus_jose+jwt | 2.26 |
| connect2id | nimbus_jose+jwt | 4.29 |
| connect2id | nimbus_jose+jwt | 1.6 |
| connect2id | nimbus_jose+jwt | 2.9 |
| connect2id | nimbus_jose+jwt | 4.16 |
| connect2id | nimbus_jose+jwt | 4.35 |
| connect2id | nimbus_jose+jwt | 4.26 |
| connect2id | nimbus_jose+jwt | 3.8.1 |
| connect2id | nimbus_jose+jwt | 1.0 |
| connect2id | nimbus_jose+jwt | 4.17 |
| connect2id | nimbus_jose+jwt | 1.10 |
| connect2id | nimbus_jose+jwt | 2.17.2 |
| connect2id | nimbus_jose+jwt | 2.15.2 |
| connect2id | nimbus_jose+jwt | 2.3 |
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-347,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| connect2id | nimbus_jose+jwt | 2.16 |
| connect2id | nimbus_jose+jwt | 2.17 |
| connect2id | nimbus_jose+jwt | 4.27 |
| connect2id | nimbus_jose+jwt | 4.30 |
| connect2id | nimbus_jose+jwt | 4.25 |
| connect2id | nimbus_jose+jwt | 4.23 |
| connect2id | nimbus_jose+jwt | 2.20 |
| connect2id | nimbus_jose+jwt | 2.8 |
| connect2id | nimbus_jose+jwt | 1.12 |
| connect2id | nimbus_jose+jwt | 2.22 |
| connect2id | nimbus_jose+jwt | 4.15.1 |
| connect2id | nimbus_jose+jwt | 2.15.1 |
| connect2id | nimbus_jose+jwt | 4.3.1 |
| connect2id | nimbus_jose+jwt | 1.5 |
| connect2id | nimbus_jose+jwt | 3.0 |
| connect2id | nimbus_jose+jwt | 4.18 |
| connect2id | nimbus_jose+jwt | 2.13.1 |
| connect2id | nimbus_jose+jwt | 3.9.1 |
| connect2id | nimbus_jose+jwt | 2.13.0 |
| connect2id | nimbus_jose+jwt | 2.22.1 |
| connect2id | nimbus_jose+jwt | 1.2 |
| connect2id | nimbus_jose+jwt | 2.11.0 |
| connect2id | nimbus_jose+jwt | 3.10 |
| connect2id | nimbus_jose+jwt | 2.12.0 |
| connect2id | nimbus_jose+jwt | 3.1.2 |
| connect2id | nimbus_jose+jwt | 3.3 |
| connect2id | nimbus_jose+jwt | 4.10 |
| connect2id | nimbus_jose+jwt | 2.25 |
| connect2id | nimbus_jose+jwt | 2.10 |
| connect2id | nimbus_jose+jwt | 4.26.1 |
| connect2id | nimbus_jose+jwt | 4.7 |
| connect2id | nimbus_jose+jwt | 4.12 |
| connect2id | nimbus_jose+jwt | 4.19 |
| connect2id | nimbus_jose+jwt | 1.4 |
| connect2id | nimbus_jose+jwt | 2.18 |
| connect2id | nimbus_jose+jwt | 2.24 |
| connect2id | nimbus_jose+jwt | 2.4 |
| connect2id | nimbus_jose+jwt | 4.32 |
| connect2id | nimbus_jose+jwt | 3.2.2 |
| connect2id | nimbus_jose+jwt | 3.9.2 |
| connect2id | nimbus_jose+jwt | 4.11.1 |
| connect2id | nimbus_jose+jwt | 2.0 |
| connect2id | nimbus_jose+jwt | 4.22 |
| connect2id | nimbus_jose+jwt | 4.11 |
| connect2id | nimbus_jose+jwt | 1.8 |
| connect2id | nimbus_jose+jwt | 4.6 |
| connect2id | nimbus_jose+jwt | 1.9 |
| connect2id | nimbus_jose+jwt | 4.20 |
| connect2id | nimbus_jose+jwt | 3.8.2 |
| connect2id | nimbus_jose+jwt | 4.1 |
| connect2id | nimbus_jose+jwt | 4.21 |
| connect2id | nimbus_jose+jwt | 4.0 |
| connect2id | nimbus_jose+jwt | 4.33 |
| connect2id | nimbus_jose+jwt | 4.2 |
| connect2id | nimbus_jose+jwt | 2.18.1 |
| connect2id | nimbus_jose+jwt | 2.14 |
| connect2id | nimbus_jose+jwt | 4.4 |
| connect2id | nimbus_jose+jwt | 1.1 |
| connect2id | nimbus_jose+jwt | 4.34.1 |
| connect2id | nimbus_jose+jwt | 3.5 |
| connect2id | nimbus_jose+jwt | 3.2.1 |
| connect2id | nimbus_jose+jwt | 2.7 |
| connect2id | nimbus_jose+jwt | 2.26.1 |
| connect2id | nimbus_jose+jwt | 4.0.1 |
| connect2id | nimbus_jose+jwt | 4.16.1 |
| connect2id | nimbus_jose+jwt | 2.5 |
| connect2id | nimbus_jose+jwt | 4.15 |
| connect2id | nimbus_jose+jwt | 4.28 |
| connect2id | nimbus_jose+jwt | 1.7 |
| connect2id | nimbus_jose+jwt | 4.13 |
| connect2id | nimbus_jose+jwt | 4.31 |
| connect2id | nimbus_jose+jwt | 2.10.1 |
| connect2id | nimbus_jose+jwt | 3.7 |
| connect2id | nimbus_jose+jwt | 4.31.1 |
| connect2id | nimbus_jose+jwt | 4.14 |
| connect2id | nimbus_jose+jwt | 4.8 |
| connect2id | nimbus_jose+jwt | 4.13.1 |
| connect2id | nimbus_jose+jwt | 2.1.1 |
| connect2id | nimbus_jose+jwt | 1.9.1 |
| connect2id | nimbus_jose+jwt | 2.6 |
| connect2id | nimbus_jose+jwt | 3.2 |
| connect2id | nimbus_jose+jwt | 3.6 |
| connect2id | nimbus_jose+jwt | 2.19.1 |
| connect2id | nimbus_jose+jwt | 2.21 |
| connect2id | nimbus_jose+jwt | 4.16.2 |
| connect2id | nimbus_jose+jwt | 2.0.1 |
| connect2id | nimbus_jose+jwt | 2.23 |
| connect2id | nimbus_jose+jwt | 4.24 |
| connect2id | nimbus_jose+jwt | 1.11 |
| connect2id | nimbus_jose+jwt | 4.3 |
| connect2id | nimbus_jose+jwt | 4.9 |
| connect2id | nimbus_jose+jwt | 2.1 |
| connect2id | nimbus_jose+jwt | 4.11.2 |
| connect2id | nimbus_jose+jwt | 3.9 |
| connect2id | nimbus_jose+jwt | 3.1 |
| connect2id | nimbus_jose+jwt | 3.8 |
| connect2id | nimbus_jose+jwt | 4.34 |
| connect2id | nimbus_jose+jwt | 2.15 |
| connect2id | nimbus_jose+jwt | 2.18.2 |
| connect2id | nimbus_jose+jwt | 2.19 |
| connect2id | nimbus_jose+jwt | 3.4 |
| connect2id | nimbus_jose+jwt | 4.1.1 |
| connect2id | nimbus_jose+jwt | 2.17.1 |
| connect2id | nimbus_jose+jwt | 4.27.1 |
| connect2id | nimbus_jose+jwt | 4.34.2 |
| connect2id | nimbus_jose+jwt | 4.5 |
| connect2id | nimbus_jose+jwt | 1.3 |
| connect2id | nimbus_jose+jwt | 3.1.1 |
| connect2id | nimbus_jose+jwt | 2.2 |
| connect2id | nimbus_jose+jwt | 2.26 |
| connect2id | nimbus_jose+jwt | 4.29 |
| connect2id | nimbus_jose+jwt | 1.6 |
| connect2id | nimbus_jose+jwt | 2.9 |
| connect2id | nimbus_jose+jwt | 4.16 |
| connect2id | nimbus_jose+jwt | 4.35 |
| connect2id | nimbus_jose+jwt | 4.26 |
| connect2id | nimbus_jose+jwt | 3.8.1 |
| connect2id | nimbus_jose+jwt | 1.0 |
| connect2id | nimbus_jose+jwt | 4.17 |
| connect2id | nimbus_jose+jwt | 1.10 |
| connect2id | nimbus_jose+jwt | 2.17.2 |
| connect2id | nimbus_jose+jwt | 2.15.2 |
| connect2id | nimbus_jose+jwt | 2.3 |
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-755,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | communications_pricing_design_center | 12.0.0.3.0 |
| apache | hadoop | 3.2.1 |
| oracle | enterprise_manager_base_platform | 13.4.0.0 |
| oracle | solaris_cluster | 4.0 |
| oracle | jd_edwards_enterpriseone_orchestrator | * |
| oracle | insurance_policy_administration | * |
| connect2id | nimbus_jose+jwt | * |
| oracle | peoplesoft_enterprise_peopletools | 8.59 |
| oracle | healthcare_data_repository | 8.1.0 |
| oracle | peoplesoft_enterprise_peopletools | 8.58 |
| oracle | communications_cloud_native_core_security_edge_protection_proxy | 1.7.0 |
| oracle | data_integrator | 12.2.1.4.0 |
| oracle | policy_automation | * |
| oracle | weblogic_server | 12.2.1.3.0 |
| oracle | primavera_gateway | 19.12.0 |
| oracle | primavera_gateway | * |
| oracle | weblogic_server | 12.2.1.4.0 |
| oracle | jd_edwards_enterpriseone_tools | * |
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| connect2id | nimbus_jose+jwt | * |