Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N
Vendors Products
Connect2id
  • Nimbus Jose\+jwt

Configuration 1 [-]

OR cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.0:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.3:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.4:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.5:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.6:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.7:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.8:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.9:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.9.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.10:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.11:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:1.12:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.0:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.3:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.4:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.5:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.6:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.7:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.8:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.9:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.10:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.10.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.11.0:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.12.0:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.13.0:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.13.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.14:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.15:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.15.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.15.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.16:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.17:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.17.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.17.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.18:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.18.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.18.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.19:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.19.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.20:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.21:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.22:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.22.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.23:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.24:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.25:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.26:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:2.26.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.0:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.1.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.1.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.2.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.3:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.4:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.5:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.6:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.7:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.8:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.8.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.8.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.9:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.9.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.9.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:3.10:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.0:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.1.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.3:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.3.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.4:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.5:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.6:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.7:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.8:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.9:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.10:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.11:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.11.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.11.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.12:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.13:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.13.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.14:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.15:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.15.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.16:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.16.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.16.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.17:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.18:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.19:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.20:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.21:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.22:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.23:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.24:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.25:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.26:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.26.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.27:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.27.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.28:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.29:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.30:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.31:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.31.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.32:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.33:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.34:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.34.1:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.34.2:*:*:*:*:*:*:*
cpe:2.3:a:connect2id:nimbus_jose\+jwt:4.35:*:*:*:*:*:*:*
References
Link Resource
https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f Third Party Advisory
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve Patch Third Party Advisory
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt Release Notes Third Party Advisory
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2017-08-20T16:00:00

Updated: 2019-11-16T01:06:53

Reserved: 2017-08-20T00:00:00

Link: CVE-2017-12974

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2017-08-20T16:29:00.313

Modified: 2023-11-07T02:38:32.850

Link: CVE-2017-12974

JSON object: View

cve-icon Redhat Information

No data.

CWE