connect2id 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk denial of service に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で アプリケーションクラッシュ and vendor impact information disclosure などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2023-52428 | In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. | [email protected] | 7.5 | 0.08% | 2024-02-11 | 2024-11-21 |
| CVE-2019-17195 | Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. | [email protected] | 9.8 | 4.27% | 2019-10-15 | 2024-11-21 |
| CVE-2017-12974 | Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation. | [email protected] | 7.5 | 0.14% | 2017-08-20 | 2026-05-13 |
| CVE-2017-12973 | Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack. | [email protected] | 3.1 | 0.23% | 2017-08-20 | 2026-05-13 |
| CVE-2017-12972 | In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC. | [email protected] | 7.5 | 0.16% | 2017-08-20 | 2026-05-13 |