Описание
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
A flaw was found in Connect2id Nimbus JOSE+JWT prior to version 7.9. While processing JSON web tokens (JWT), nimbus-jose-jwt can throw various uncaught exceptions resulting in an application crash, information disclosure, or authentication bypass. The highest threat from this vulnerability is to data confidentiality and system availability.
Отчет
In Red Hat Virtualization 4.2, nimbus-jose-jwt was bundled in the rhvm-dependencies package. In Red Hat Virtualization 4.3, nimbus-jose-jwt was made available as a separate package and no longer bundled in rhvm-dependencies. Thus, rhvm-dependencies only contained this vulnerability in the 4.2 EUS stream, the 4.3 version of rhvm-dependencies is not affected.
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
Improper Check for Unusual or Exceptional Conditions in Connect2id Nimbus JOSE+JWT
Уязвимость Java-библиотеки Nimbus JOSE + JWT, связанная с недостаточной проверкой необычных или исключительных состояний, позволяющая нарушителю вызвать отказ в обслуживании или получить несанкционированный доступ к защищаемой информации
6.5 Medium
CVSS3