CVE-2017-12973

Source
https://nvd.nist.gov/vuln/detail/CVE-2017-12973
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12973.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2017-12973
Aliases
Published
2017-08-20T16:29:00Z
Modified
2025-09-19T08:49:58.318163Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.

References

Affected packages

Git / bitbucket.org/connect2id/nimbus-jose-jwt

Affected ranges

Type
GIT
Repo
https://bitbucket.org/connect2id/nimbus-jose-jwt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
6a29f10f723f406eb25555f55842c59a43a38912

Affected versions

2.*

2.0
2.0.1
2.1
2.1.1
2.10
2.10.1
2.11.0
2.12.0
2.13.0
2.13.1
2.14.0
2.15.0
2.15.1
2.15.2
2.16
2.17
2.17.1
2.17.2
2.18
2.18.1
2.18.2
2.19
2.19.1
2.2
2.20
2.21
2.22
2.22.1
2.23
2.24
2.25
2.26
2.26.1
2.3
2.4
2.5
2.6
2.7
2.8
2.9

3.*

3.0
3.1
3.1.1
3.1.2
3.10
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.6
3.7
3.8
3.8.1
3.8.2
3.9
3.9.1
3.9.2

4.*

4.0
4.0-rc1
4.0-rc2
4.0-rc3
4.0-rc4
4.0.1
4.1
4.1.1
4.10
4.11
4.11.1
4.11.2
4.12
4.13.1
4.14
4.15
4.15.1
4.16
4.16.1
4.16.2
4.17
4.18
4.19
4.2
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.26.1
4.27
4.27.1
4.28
4.29
4.3
4.3.1
4.30
4.31.1
4.32
4.33
4.34
4.34.1
4.34.2
4.35
4.36
4.36.1
4.37
4.37.1
4.38
4.4
4.5
4.6
4.7
4.8
4.9

Database specific

{
    "vanir_signatures": [
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "36435077182769648824144539200763482764",
                    "221225405666008085863157926433643063529",
                    "248275944443145673308968769694312607101",
                    "320447986941090818350865767914465061256",
                    "257738106142193723590480276808990837124",
                    "190253527059679348300378316158431539755",
                    "15674162120766882722956143379512560123"
                ]
            },
            "id": "CVE-2017-12973-83ba7880",
            "source": "https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912",
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "src/test/java/com/nimbusds/jose/crypto/AESCBCTest.java"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "30873108536757750440668463301508600213",
                "length": 831.0
            },
            "id": "CVE-2017-12973-8fddb8aa",
            "source": "https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912",
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "src/main/java/com/nimbusds/jose/crypto/AESCBC.java",
                "function": "decryptAuthenticated"
            },
            "deprecated": false
        },
        {
            "digest": {
                "function_hash": "236213427891800737982253186864940241476",
                "length": 1109.0
            },
            "id": "CVE-2017-12973-bc84ece8",
            "source": "https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912",
            "signature_version": "v1",
            "signature_type": "Function",
            "target": {
                "file": "src/main/java/com/nimbusds/jose/crypto/AESCBC.java",
                "function": "decryptWithConcatKDF"
            },
            "deprecated": false
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "35018700141178900754895011799387586413",
                    "23210894372056268032297871442564513847",
                    "102375337653080225852646387558193098844",
                    "143802061001915409894760621002970574355",
                    "186448877813480750470093697857407943500",
                    "156186524451473883298028680057499734344",
                    "314799720785399631741077152447637097045",
                    "332890821269199314396999039272601680450",
                    "115380475547764836096130112939018077308",
                    "112515943459359502487605947776116967647",
                    "172612522757869334105109761993727279884",
                    "142039361351170592512047791599796892391",
                    "95946088047134294800092685466486312825",
                    "60152373669270615370440034498579187985",
                    "280492070757543771453027851327819029791",
                    "221403414440494563007614824018889324485",
                    "1894466923688934958026594011629943405",
                    "59741151086996169066197142383462513440",
                    "233078262287712076948859519221598030403",
                    "30861009376071704210913003331615204446",
                    "332947917171967944776808918114577282512",
                    "18136453160694785944270925616851898192",
                    "40475491843953653643162699661677929363",
                    "151246875674351598710595633477384636928",
                    "322974018495388437913836007418169443313",
                    "76069166384751547997871421196598149788",
                    "44437097317994459278761123799175645327",
                    "277190829670493988396513370163311149761",
                    "94546924572782216804672716981269134975",
                    "82318690769468239319429518385763591879"
                ]
            },
            "id": "CVE-2017-12973-f4fd57ce",
            "source": "https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912",
            "signature_version": "v1",
            "signature_type": "Line",
            "target": {
                "file": "src/main/java/com/nimbusds/jose/crypto/AESCBC.java"
            },
            "deprecated": false
        }
    ]
}