Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. References: https://connect2id.com/blog/nimbus-jose-jwt-7-9 https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt
Created nimbus-jose-jwt tracking bugs for this issue: Affects: fedora-all [bug 1764792]
Note: latest version is 8.2, compared to 5.12 a new dependency is needed: [WARNING] The POM for com.google.crypto.tink:tink:jar:1.2.2 is missing, no dependency information available I'll try to understand how difficult will be getting thie new dependency packaged.
Statement: In Red Hat Virtualization 4.2, nimbus-jose-jwt was bundled in the rhvm-dependencies package. In Red Hat Virtualization 4.3, nimbus-jose-jwt was made available as a separate package and no longer bundled in rhvm-dependencies. Thus, rhvm-dependencies only contained this vulnerability in the 4.2 EUS stream, the 4.3 version of rhvm-dependencies is not affected.
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2020:1308 https://access.redhat.com/errata/RHSA-2020:1308
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-17195