Improper HMAC Handling in Nimbus JOSE+JWT Makes it Vulnerable to Oracle Attacks
CVE-2017-12973

3.1LOW

Key Information:

Vendor

Connect2id

Status
Nimbus Jose\+jwt
Vendor
CVE Published:
20 August 2017

What is CVE-2017-12973?

Nimbus JOSE+JWT prior to version 4.39 has a vulnerability where it fails to properly handle an invalid HMAC during AES-CBC decryption. This mismanagement can lead to a padding oracle attack, allowing adversaries to compromise encrypted data by taking advantage of the timing discrepancies in the decryption process. Proper security measures should be implemented to mitigate this risk.

References

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/...
x_refsource_CONFIRM
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/2...
x_refsource_CONFIRM
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/mast...
x_refsource_CONFIRM

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability Reserved

  • Vulnerability published

.