SB2019101519 - Improper input validation in Connect2id Nimbus JOSE+JWT
Published: October 15, 2019 Updated: January 9, 2020
Security Bulletin ID
SB2019101519
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2019-17195)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Nimbus JOSE+JWT throws various uncaught exceptions while parsing a JWT. A remote attacker can send a specially crafted JWT token and cause the application to crash or potentially bypass authentication.
Remediation
Install update from vendor's website.
References
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt
- https://connect2id.com/blog/nimbus-jose-jwt-7-9
- https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d@%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41@%3Ccommon-issues.hadoop.apache.org%3E