Nimbus JOSE+JWT 7.9 fixes an unchecked exception vulnerability

Posted 2019-10-07

Nimbus JOSE+JWT 7.9 fixes vulnerabilities in the code which may result in the library throwing an unchecked Java exception on certain malformed JWT or JOSE input.

Uncaught exceptions (CWE-248) could result in a crash (potential information disclosure) or a potential authentication bypass, depending on how the library is integrated into an application.

Users are advised to upgrade.

The CVSSv3 score is 6.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:F/RL:O/RC:C.

The vulnerability was allocated CVE-2019-17195.

We thank the Oracle Cloud Infrastructure (OCI) Security Research Team and their member, Devin Cook, for the discovery and reporting.


Release notes

version 7.9 (2019-10-05)

  • Adds new static null-safe Base64.from(String) and Base64URL.from(String) methods.
  • Makes JWKSet and KeyUse serializable (iss #330).
  • Fixes NPE when parsing JOSE header with missing or null "alg" (iss #332). Allocated CVE-2019-17195.
  • Fixes IllegalArgumentException when parsing JOSE header with null "typ" (iss #333). Allocated CVE-2019-17195.
  • Fixes NPE when parsing JOSE header with null "crit" (iss #334). Allocated CVE-2019-17195.
  • Fixes NPE when parsing JOSE header with null "jwk" (iss #335). Allocated CVE-2019-17195.
  • Fixes NPE when parsing JOSE header with null BASE64 or BASE65URL encoded parameters (iss #336). Allocated CVE-2019-17195.
  • Fixes IllegalArgumentException when parsing JWE header with null "zip" (iss #337). Allocated CVE-2019-17195.
  • Catch unexpected exceptions in JSONObjectUtils.parse and rethrow as ParseException. Allocated CVE-2019-17195.