Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY2dmYtcHE4Yy02OW00
Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
Permalink: https://github.com/advisories/GHSA-f6vf-pq8c-69m4JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY2dmYtcHE4Yy02OW00
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 5 years ago
Updated: almost 2 years ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.01988
EPSS Percentile: 0.88505
Identifiers: GHSA-f6vf-pq8c-69m4, CVE-2019-17195
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-17195
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt
- https://connect2id.com/blog/nimbus-jose-jwt-7-9
- https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d@%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41@%3Ccommon-issues.hadoop.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a@%3Cdev.avro.apache.org%3E
- https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98@%3Cdev.avro.apache.org%3E
- https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d@%3Ccommits.druid.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/advisories/GHSA-f6vf-pq8c-69m4
Blast Radius: 37.2
Affected Packages
maven:com.nimbusds:nimbus-jose-jwt
Dependent packages: 806Dependent repositories: 6,282
Downloads:
Affected Version Ranges: < 7.9
Fixed in: 7.9
All affected versions: 2.10.1, 2.11.0, 2.12.0, 2.13.0, 2.13.1, 2.14.0, 2.15.0, 2.15.1, 2.15.2, 2.17.1, 2.17.2, 2.18.1, 2.18.2, 2.19.1, 2.22.1, 2.26.1, 3.1.1, 3.1.2, 3.2.1, 3.2.2, 3.8.1, 3.8.2, 3.9.1, 3.9.2, 4.0.1, 4.1.1, 4.3.1, 4.11.1, 4.11.2, 4.13.1, 4.15.1, 4.16.1, 4.16.2, 4.26.1, 4.27.1, 4.31.1, 4.34.1, 4.34.2, 4.36.1, 4.37.1, 4.39.1, 4.39.2, 4.41.1, 4.41.2, 4.41.3, 6.0.1, 6.0.2, 6.1.1, 6.3.1, 6.4.1, 6.4.2, 6.5.1, 7.0.1, 7.2.1, 7.5.1, 7.8.1
All unaffected versions: 8.2.1, 8.4.1, 8.5.1, 8.14.1, 8.17.1, 8.18.1, 8.20.1, 8.20.2, 8.21.1, 8.22.1, 9.0.1, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.4.1, 9.4.2, 9.6.1, 9.8.1, 9.9.1, 9.9.2, 9.9.3, 9.10.1, 9.11.1, 9.11.2, 9.11.3, 9.12.1, 9.15.1, 9.15.2, 9.16.1, 9.21.1, 9.24.1, 9.24.2, 9.24.3, 9.24.4, 9.25.1, 9.25.2, 9.25.3, 9.25.4, 9.25.5, 9.25.6, 9.30.1, 9.30.2, 9.37.1, 9.37.2, 9.37.3, 9.39.1, 9.39.2, 9.39.3, 9.41.1, 9.41.2