Vulnerability Description
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Connect2Id | Nimbus Jose\+Jwt | 1.0 |
Related Weaknesses (CWE)
References
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9Third Party Advisory
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ePatchThird Party Advisory
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txtRelease NotesThird Party Advisory
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b667
- https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9Third Party Advisory
- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ePatchThird Party Advisory
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txtRelease NotesThird Party Advisory
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b667
FAQ
What is CVE-2017-12974?
CVE-2017-12974 is a vulnerability with a CVSS score of 7.5 (HIGH). Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack ...
How severe is CVE-2017-12974?
CVE-2017-12974 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-12974?
Check the references section above for vendor advisories and patch information. Affected products include: Connect2Id Nimbus Jose\+Jwt.