CVE-2017-12974

Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
connect2idnimbus_jose\+jwt
1.0
connect2idnimbus_jose\+jwt
1.1
connect2idnimbus_jose\+jwt
1.2
connect2idnimbus_jose\+jwt
1.3
connect2idnimbus_jose\+jwt
1.4
connect2idnimbus_jose\+jwt
1.5
connect2idnimbus_jose\+jwt
1.6
connect2idnimbus_jose\+jwt
1.7
connect2idnimbus_jose\+jwt
1.8
connect2idnimbus_jose\+jwt
1.9
connect2idnimbus_jose\+jwt
1.9.1
connect2idnimbus_jose\+jwt
1.10
connect2idnimbus_jose\+jwt
1.11
connect2idnimbus_jose\+jwt
1.12
connect2idnimbus_jose\+jwt
2.0
connect2idnimbus_jose\+jwt
2.0.1
connect2idnimbus_jose\+jwt
2.1
connect2idnimbus_jose\+jwt
2.1.1
connect2idnimbus_jose\+jwt
2.2
connect2idnimbus_jose\+jwt
2.3
connect2idnimbus_jose\+jwt
2.4
connect2idnimbus_jose\+jwt
2.5
connect2idnimbus_jose\+jwt
2.6
connect2idnimbus_jose\+jwt
2.7
connect2idnimbus_jose\+jwt
2.8
connect2idnimbus_jose\+jwt
2.9
connect2idnimbus_jose\+jwt
2.10
connect2idnimbus_jose\+jwt
2.10.1
connect2idnimbus_jose\+jwt
2.11.0
connect2idnimbus_jose\+jwt
2.12.0
connect2idnimbus_jose\+jwt
2.13.0
connect2idnimbus_jose\+jwt
2.13.1
connect2idnimbus_jose\+jwt
2.14
connect2idnimbus_jose\+jwt
2.15
connect2idnimbus_jose\+jwt
2.15.1
connect2idnimbus_jose\+jwt
2.15.2
connect2idnimbus_jose\+jwt
2.16
connect2idnimbus_jose\+jwt
2.17
connect2idnimbus_jose\+jwt
2.17.1
connect2idnimbus_jose\+jwt
2.17.2
connect2idnimbus_jose\+jwt
2.18
connect2idnimbus_jose\+jwt
2.18.1
connect2idnimbus_jose\+jwt
2.18.2
connect2idnimbus_jose\+jwt
2.19
connect2idnimbus_jose\+jwt
2.19.1
connect2idnimbus_jose\+jwt
2.20
connect2idnimbus_jose\+jwt
2.21
connect2idnimbus_jose\+jwt
2.22
connect2idnimbus_jose\+jwt
2.22.1
connect2idnimbus_jose\+jwt
2.23
connect2idnimbus_jose\+jwt
2.24
connect2idnimbus_jose\+jwt
2.25
connect2idnimbus_jose\+jwt
2.26
connect2idnimbus_jose\+jwt
2.26.1
connect2idnimbus_jose\+jwt
3.0
connect2idnimbus_jose\+jwt
3.1
connect2idnimbus_jose\+jwt
3.1.1
connect2idnimbus_jose\+jwt
3.1.2
connect2idnimbus_jose\+jwt
3.2
connect2idnimbus_jose\+jwt
3.2.1
connect2idnimbus_jose\+jwt
3.2.2
connect2idnimbus_jose\+jwt
3.3
connect2idnimbus_jose\+jwt
3.4
connect2idnimbus_jose\+jwt
3.5
connect2idnimbus_jose\+jwt
3.6
connect2idnimbus_jose\+jwt
3.7
connect2idnimbus_jose\+jwt
3.8
connect2idnimbus_jose\+jwt
3.8.1
connect2idnimbus_jose\+jwt
3.8.2
connect2idnimbus_jose\+jwt
3.9
connect2idnimbus_jose\+jwt
3.9.1
connect2idnimbus_jose\+jwt
3.9.2
connect2idnimbus_jose\+jwt
3.10
connect2idnimbus_jose\+jwt
4.0
connect2idnimbus_jose\+jwt
4.0.1
connect2idnimbus_jose\+jwt
4.1
connect2idnimbus_jose\+jwt
4.1.1
connect2idnimbus_jose\+jwt
4.2
connect2idnimbus_jose\+jwt
4.3
connect2idnimbus_jose\+jwt
4.3.1
connect2idnimbus_jose\+jwt
4.4
connect2idnimbus_jose\+jwt
4.5
connect2idnimbus_jose\+jwt
4.6
connect2idnimbus_jose\+jwt
4.7
connect2idnimbus_jose\+jwt
4.8
connect2idnimbus_jose\+jwt
4.9
connect2idnimbus_jose\+jwt
4.10
connect2idnimbus_jose\+jwt
4.11
connect2idnimbus_jose\+jwt
4.11.1
connect2idnimbus_jose\+jwt
4.11.2
connect2idnimbus_jose\+jwt
4.12
connect2idnimbus_jose\+jwt
4.13
connect2idnimbus_jose\+jwt
4.13.1
connect2idnimbus_jose\+jwt
4.14
connect2idnimbus_jose\+jwt
4.15
connect2idnimbus_jose\+jwt
4.15.1
connect2idnimbus_jose\+jwt
4.16
connect2idnimbus_jose\+jwt
4.16.1
connect2idnimbus_jose\+jwt
4.16.2
connect2idnimbus_jose\+jwt
4.17
connect2idnimbus_jose\+jwt
4.18
connect2idnimbus_jose\+jwt
4.19
connect2idnimbus_jose\+jwt
4.20
connect2idnimbus_jose\+jwt
4.21
connect2idnimbus_jose\+jwt
4.22
connect2idnimbus_jose\+jwt
4.23
connect2idnimbus_jose\+jwt
4.24
connect2idnimbus_jose\+jwt
4.25
connect2idnimbus_jose\+jwt
4.26
connect2idnimbus_jose\+jwt
4.26.1
connect2idnimbus_jose\+jwt
4.27
connect2idnimbus_jose\+jwt
4.27.1
connect2idnimbus_jose\+jwt
4.28
connect2idnimbus_jose\+jwt
4.29
connect2idnimbus_jose\+jwt
4.30
connect2idnimbus_jose\+jwt
4.31
connect2idnimbus_jose\+jwt
4.31.1
connect2idnimbus_jose\+jwt
4.32
connect2idnimbus_jose\+jwt
4.33
connect2idnimbus_jose\+jwt
4.34
connect2idnimbus_jose\+jwt
4.34.1
connect2idnimbus_jose\+jwt
4.34.2
connect2idnimbus_jose\+jwt
4.35
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E