Bug 1764791 (CVE-2019-17195)
| Summary: | CVE-2019-17195 nimbus-jose-jwt: Uncaught exceptions while parsing a JWT | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dblechte, dfediuck, dmoppert, eedri, lsurette, mgoldboi, michal.skrivanek, rtillery, sbonazzo, sherold, sparks, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nimbus-jose-jwt 7.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Connect2id Nimbus JOSE+JWT prior to version 7.9. While processing JSON web tokens (JWT), nimbus-jose-jwt can throw various uncaught exceptions resulting in an application crash, information disclosure, or authentication bypass. The highest threat from this vulnerability is to data confidentiality and system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-04 19:27:41 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1764792, 1766412, 1766413, 1797607 | ||
| Bug Blocks: | 1764793 | ||
|
Description
Pedro Sampaio
2019-10-23 17:54:25 UTC
Created nimbus-jose-jwt tracking bugs for this issue: Affects: fedora-all [bug 1764792] Note: latest version is 8.2, compared to 5.12 a new dependency is needed: [WARNING] The POM for com.google.crypto.tink:tink:jar:1.2.2 is missing, no dependency information available I'll try to understand how difficult will be getting thie new dependency packaged. Statement: In Red Hat Virtualization 4.2, nimbus-jose-jwt was bundled in the rhvm-dependencies package. In Red Hat Virtualization 4.3, nimbus-jose-jwt was made available as a separate package and no longer bundled in rhvm-dependencies. Thus, rhvm-dependencies only contained this vulnerability in the 4.2 EUS stream, the 4.3 version of rhvm-dependencies is not affected. This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2020:1308 https://access.redhat.com/errata/RHSA-2020:1308 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17195 |