QwikSec

Security Database

CVE

CWE

Training

CVE-2017-12972

Published: Aug 20, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc

x_refsource_CONFIRM

https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c

x_refsource_CONFIRM

https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt

x_refsource_CONFIRM

[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.