CVE-2019-17195

CRITICAL

Connect2id Nimbus Jose+jwt < 7.9 - Improper Exception Handling

Title source: rule
STIX 2.1

Description

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

Exploits (1)

nomisec SCANNER 12 stars
by somatrasss · poc
https://github.com/somatrasss/weblogic2021

References (16)

Core 16
Core References
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Release Notes, Third Party Advisory x_refsource_confirm
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt
Release Notes, Vendor Advisory x_refsource_confirm
https://connect2id.com/blog/nimbus-jose-jwt-7-9
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 9.8
EPSS 0.0427
EPSS Percentile 88.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-755
Status published
Products (19)
apache/hadoop 3.2.1
com.nimbusds/nimbus-jose-jwt 0 - 7.9Maven
connect2id/nimbus_jose\+jwt < 7.9
oracle/communications_cloud_native_core_security_edge_protection_proxy 1.7.0
oracle/communications_pricing_design_center 12.0.0.3.0
oracle/data_integrator 12.2.1.4.0
oracle/enterprise_manager_base_platform 13.4.0.0
oracle/healthcare_data_repository 8.1.0
oracle/insurance_policy_administration 11.0 - 11.3.1
oracle/jd_edwards_enterpriseone_orchestrator < 9.2.5.3
... and 9 more
Published Oct 15, 2019
Tracked Since Feb 18, 2026