Nimbus JOSE+JWT 7.9 fixes an unchecked exception vulnerability
Nimbus JOSE+JWT 7.9 fixes vulnerabilities in the code which may result in the library throwing an unchecked Java exception on certain malformed JWT or JOSE input.
Uncaught exceptions (CWE-248) could result in a crash (potential information disclosure) or a potential authentication bypass, depending on how the library is integrated into an application.
Users are advised to upgrade.
The CVSSv3 score is 6.0 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:F/RL:O/RC:C.
The vulnerability was allocated CVE-2019-17195.
We thank the Oracle Cloud Infrastructure (OCI) Security Research Team and their member, Devin Cook, for the discovery and reporting.
Release notes
version 7.9 (2019-10-05)
- Adds new static null-safe Base64.from(String) and Base64URL.from(String) methods.
- Makes JWKSet and KeyUse serializable (iss #330).
- Fixes NPE when parsing JOSE header with missing or null "alg" (iss #332). Allocated CVE-2019-17195.
- Fixes IllegalArgumentException when parsing JOSE header with null "typ" (iss #333). Allocated CVE-2019-17195.
- Fixes NPE when parsing JOSE header with null "crit" (iss #334). Allocated CVE-2019-17195.
- Fixes NPE when parsing JOSE header with null "jwk" (iss #335). Allocated CVE-2019-17195.
- Fixes NPE when parsing JOSE header with null BASE64 or BASE65URL encoded parameters (iss #336). Allocated CVE-2019-17195.
- Fixes IllegalArgumentException when parsing JWE header with null "zip" (iss #337). Allocated CVE-2019-17195.
- Catch unexpected exceptions in JSONObjectUtils.parse and rethrow as ParseException. Allocated CVE-2019-17195.