CVE-2017-12974: High severity connect2id nimbus jose+jwt vulnerability
Published Aug 20, 2017
·Updated
Connect2id Nimbus JOSE+JWT could provide weaker than expected security, caused by proceeding with ECKey construction without ensuring that the public x and y coordinates are on the specified curve. A remote attacker could exploit this vulnerability to conduct an Invalid Curve Attack.
Other sources
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
Affected Software
124 affected components
Connect2id Nimbus Jose\+jwt=1.0
Connect2id Nimbus Jose\+jwt=1.1
Connect2id Nimbus Jose\+jwt=1.2
Connect2id Nimbus Jose\+jwt=1.3
Connect2id Nimbus Jose\+jwt=1.4
Connect2id Nimbus Jose\+jwt=1.5
Connect2id Nimbus Jose\+jwt=1.6
Connect2id Nimbus Jose\+jwt=1.7
Connect2id Nimbus Jose\+jwt=1.8
Connect2id Nimbus Jose\+jwt=1.9
Connect2id Nimbus Jose\+jwt=1.9.1
Connect2id Nimbus Jose\+jwt=1.10
Connect2id Nimbus Jose\+jwt=1.11
Connect2id Nimbus Jose\+jwt=1.12
Connect2id Nimbus Jose\+jwt=2.0
Connect2id Nimbus Jose\+jwt=2.0.1
Connect2id Nimbus Jose\+jwt=2.1
Connect2id Nimbus Jose\+jwt=2.1.1
Connect2id Nimbus Jose\+jwt=2.2
Connect2id Nimbus Jose\+jwt=2.3
Connect2id Nimbus Jose\+jwt=2.4
Connect2id Nimbus Jose\+jwt=2.5
Connect2id Nimbus Jose\+jwt=2.6
Connect2id Nimbus Jose\+jwt=2.7
Connect2id Nimbus Jose\+jwt=2.8
Connect2id Nimbus Jose\+jwt=2.9
Connect2id Nimbus Jose\+jwt=2.10
Connect2id Nimbus Jose\+jwt=2.10.1
Connect2id Nimbus Jose\+jwt=2.11.0
Connect2id Nimbus Jose\+jwt=2.12.0
Connect2id Nimbus Jose\+jwt=2.13.0
Connect2id Nimbus Jose\+jwt=2.13.1
Connect2id Nimbus Jose\+jwt=2.14
Connect2id Nimbus Jose\+jwt=2.15
Connect2id Nimbus Jose\+jwt=2.15.1
Connect2id Nimbus Jose\+jwt=2.15.2
Connect2id Nimbus Jose\+jwt=2.16
Connect2id Nimbus Jose\+jwt=2.17
Connect2id Nimbus Jose\+jwt=2.17.1
Connect2id Nimbus Jose\+jwt=2.17.2
Connect2id Nimbus Jose\+jwt=2.18
Connect2id Nimbus Jose\+jwt=2.18.1
Connect2id Nimbus Jose\+jwt=2.18.2
Connect2id Nimbus Jose\+jwt=2.19
Connect2id Nimbus Jose\+jwt=2.19.1
Connect2id Nimbus Jose\+jwt=2.20
Connect2id Nimbus Jose\+jwt=2.21
Connect2id Nimbus Jose\+jwt=2.22
Connect2id Nimbus Jose\+jwt=2.22.1
Connect2id Nimbus Jose\+jwt=2.23
Connect2id Nimbus Jose\+jwt=2.24
Connect2id Nimbus Jose\+jwt=2.25
Connect2id Nimbus Jose\+jwt=2.26
Connect2id Nimbus Jose\+jwt=2.26.1
Connect2id Nimbus Jose\+jwt=3.0
Connect2id Nimbus Jose\+jwt=3.1
Connect2id Nimbus Jose\+jwt=3.1.1
Connect2id Nimbus Jose\+jwt=3.1.2
Connect2id Nimbus Jose\+jwt=3.2
Connect2id Nimbus Jose\+jwt=3.2.1
Connect2id Nimbus Jose\+jwt=3.2.2
Connect2id Nimbus Jose\+jwt=3.3
Connect2id Nimbus Jose\+jwt=3.4
Connect2id Nimbus Jose\+jwt=3.5
Connect2id Nimbus Jose\+jwt=3.6
Connect2id Nimbus Jose\+jwt=3.7
Connect2id Nimbus Jose\+jwt=3.8
Connect2id Nimbus Jose\+jwt=3.8.1
Connect2id Nimbus Jose\+jwt=3.8.2
Connect2id Nimbus Jose\+jwt=3.9
Connect2id Nimbus Jose\+jwt=3.9.1
Connect2id Nimbus Jose\+jwt=3.9.2
Connect2id Nimbus Jose\+jwt=3.10
Connect2id Nimbus Jose\+jwt=4.0
Connect2id Nimbus Jose\+jwt=4.0.1
Connect2id Nimbus Jose\+jwt=4.1
Connect2id Nimbus Jose\+jwt=4.1.1
Connect2id Nimbus Jose\+jwt=4.2
Connect2id Nimbus Jose\+jwt=4.3
Connect2id Nimbus Jose\+jwt=4.3.1
Connect2id Nimbus Jose\+jwt=4.4
Connect2id Nimbus Jose\+jwt=4.5
Connect2id Nimbus Jose\+jwt=4.6
Connect2id Nimbus Jose\+jwt=4.7
Connect2id Nimbus Jose\+jwt=4.8
Connect2id Nimbus Jose\+jwt=4.9
Connect2id Nimbus Jose\+jwt=4.10
Connect2id Nimbus Jose\+jwt=4.11
Connect2id Nimbus Jose\+jwt=4.11.1
Connect2id Nimbus Jose\+jwt=4.11.2
Connect2id Nimbus Jose\+jwt=4.12
Connect2id Nimbus Jose\+jwt=4.13
Connect2id Nimbus Jose\+jwt=4.13.1
Connect2id Nimbus Jose\+jwt=4.14
Connect2id Nimbus Jose\+jwt=4.15
Connect2id Nimbus Jose\+jwt=4.15.1
Connect2id Nimbus Jose\+jwt=4.16
Connect2id Nimbus Jose\+jwt=4.16.1
Connect2id Nimbus Jose\+jwt=4.16.2
Connect2id Nimbus Jose\+jwt=4.17
Connect2id Nimbus Jose\+jwt=4.18
Connect2id Nimbus Jose\+jwt=4.19
Connect2id Nimbus Jose\+jwt=4.20
Connect2id Nimbus Jose\+jwt=4.21
Connect2id Nimbus Jose\+jwt=4.22
Connect2id Nimbus Jose\+jwt=4.23
Connect2id Nimbus Jose\+jwt=4.24
Connect2id Nimbus Jose\+jwt=4.25
Connect2id Nimbus Jose\+jwt=4.26
Connect2id Nimbus Jose\+jwt=4.26.1
Connect2id Nimbus Jose\+jwt=4.27
Connect2id Nimbus Jose\+jwt=4.27.1
Connect2id Nimbus Jose\+jwt=4.28
Connect2id Nimbus Jose\+jwt=4.29
Connect2id Nimbus Jose\+jwt=4.30
Connect2id Nimbus Jose\+jwt=4.31
Connect2id Nimbus Jose\+jwt=4.31.1
Connect2id Nimbus Jose\+jwt=4.32
Connect2id Nimbus Jose\+jwt=4.33
Connect2id Nimbus Jose\+jwt=4.34
Connect2id Nimbus Jose\+jwt=4.34.1
Connect2id Nimbus Jose\+jwt=4.34.2
Connect2id Nimbus Jose\+jwt=4.35
IBM GDE<=3.0.0.2
Remediation
Event History
Aug 20, 2017
CVE Published
via MITRE·04:00 PM
Data Sourced
via MITRE·04:00 PM
Description
Frequently Asked Questions
1
What is CVE-2017-12974?
CVE-2017-12974 is a vulnerability in Nimbus JOSE+JWT that allows a remote attacker to conduct an Invalid Curve Attack by proceeding with ECKey construction without ensuring the public x and y coordinates are on the specified curve.
2
What software is affected by CVE-2017-12974?
Connect2id Nimbus JOSE+JWT versions 1.0 to 4.35 and IBM GDE version up to 3.0.0.2 are affected by CVE-2017-12974.
3
How severe is CVE-2017-12974?
CVE-2017-12974 has a severity rating of 7.5, which is considered high.
4
Are there any references related to CVE-2017-12974?
References related to CVE-2017-12974 include links to commits, issues, and the changelog on Bitbucket.