GHSA-f6vf-pq8c-69m4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f6vf-pq8c-69m4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/10/GHSA-f6vf-pq8c-69m4/GHSA-f6vf-pq8c-69m4.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f6vf-pq8c-69m4
- Aliases
- Published
- 2019-10-16T18:31:17Z
- Modified
- 2024-03-14T05:16:46.620488Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT
- Details
-
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-17195
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98@%3Cdev.avro.apache.org%3E
- https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a@%3Cdev.avro.apache.org%3E
- https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41@%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d@%3Ccommon-dev.hadoop.apache.org%3E
- https://connect2id.com/blog/nimbus-jose-jwt-7-9
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt
- https://bitbucket.org/connect2id/nimbus-jose-jwt
Affected packages
Maven / com.nimbusds:nimbus-jose-jwt
Package
- Name
- com.nimbusds:nimbus-jose-jwt
- View open source insights on deps.dev
- Purl
- pkg:maven/com.nimbusds/nimbus-jose-jwt
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.9
Affected versions
2.*
2.9
2.10
2.10.1
2.11.0
2.12.0
2.13.0
2.13.1
2.14.0
2.15.0
2.15.1
2.15.2
2.16
2.17
2.17.1
2.17.2
2.18
2.18.1
2.18.2
2.19
2.19.1
2.20
2.21
2.22
2.22.1
2.23
2.24
2.25
2.26
2.26.1
3.*
3.0
3.1
3.1.1
3.1.2
3.2
3.2.1
3.2.2
3.3
3.4
3.5
3.6
3.7
3.8
3.8.1
3.8.2
3.9
3.9.1
3.9.2
3.10
4.*
4.0-rc1
4.0-rc2
4.0-rc3
4.0-rc4
4.0
4.0.1
4.1
4.1.1
4.2
4.3
4.3.1
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.11.1
4.11.2
4.12
4.13
4.13.1
4.14
4.15
4.15.1
4.16
4.16.1
4.16.2
4.17
4.18
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.26.1
4.27
4.27.1
4.28
4.29
4.30
4.31.1
4.32
4.33
4.34
4.34.1
4.34.2
4.35
4.36
4.36.1
4.37
4.37.1
4.38
4.39
4.39.1
4.39.2
4.40
4.41
4.41.1
4.41.2
4.41.3
5.*
5.0
5.1
5.2
5.3
5.4
5.5
5.6
5.7
5.8
5.9
5.10
5.11
5.12
5.13
5.14
6.*
6.0
6.0.1
6.0.2
6.1
6.1.1
6.2
6.3
6.3.1
6.4
6.4.1
6.4.2
6.5
6.5.1
6.6
6.7
6.8
7.*
7.0
7.0.1
7.1
7.2.1
7.3
7.4
7.5
7.5.1
7.6
7.7
7.8
7.8.1