CVE-2023-52428 - High Severity Vulnerability
Vulnerable Libraries - nimbus-jose-jwt-9.37.1.jar, nimbus-jose-jwt-9.8.1.jar
nimbus-jose-jwt-9.37.1.jar
Java library for Javascript Object Signing and Encryption (JOSE) and
JSON Web Tokens (JWT)
Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt
Path to dependency file: /data-prepper-plugins/s3-sink/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.37.1/940fec997571d75f391afe3988b7fbef7b04b3be/nimbus-jose-jwt-9.37.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.37.1/940fec997571d75f391afe3988b7fbef7b04b3be/nimbus-jose-jwt-9.37.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.37.1/940fec997571d75f391afe3988b7fbef7b04b3be/nimbus-jose-jwt-9.37.1.jar
Dependency Hierarchy:
- ❌ nimbus-jose-jwt-9.37.1.jar (Vulnerable Library)
nimbus-jose-jwt-9.8.1.jar
Java library for Javascript Object Signing and Encryption (JOSE) and
JSON Web Tokens (JWT)
Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt
Path to dependency file: /data-prepper-plugins/s3-source/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.8.1/2af7f734313320e4b156522d22ce32b775633909/nimbus-jose-jwt-9.8.1.jar
Dependency Hierarchy:
- hadoop-common-3.3.6.jar (Root Library)
- hadoop-auth-3.3.6.jar
- ❌ nimbus-jose-jwt-9.8.1.jar (Vulnerable Library)
Found in HEAD commit: 90bdaa7e7833bdd504c817e49d4434b4d8880f56
Found in base branch: main
Vulnerability Details
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
Publish Date: 2024-02-11
URL: CVE-2023-52428
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52428
Release Date: 2024-02-11
Fix Resolution: 9.37.2
CVE-2023-52428 - High Severity Vulnerability
nimbus-jose-jwt-9.37.1.jar
Java library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)
Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt
Path to dependency file: /data-prepper-plugins/s3-sink/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.37.1/940fec997571d75f391afe3988b7fbef7b04b3be/nimbus-jose-jwt-9.37.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.37.1/940fec997571d75f391afe3988b7fbef7b04b3be/nimbus-jose-jwt-9.37.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.37.1/940fec997571d75f391afe3988b7fbef7b04b3be/nimbus-jose-jwt-9.37.1.jar
Dependency Hierarchy:
nimbus-jose-jwt-9.8.1.jar
Java library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)
Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt
Path to dependency file: /data-prepper-plugins/s3-source/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.8.1/2af7f734313320e4b156522d22ce32b775633909/nimbus-jose-jwt-9.8.1.jar
Dependency Hierarchy:
Found in HEAD commit: 90bdaa7e7833bdd504c817e49d4434b4d8880f56
Found in base branch: main
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
Publish Date: 2024-02-11
URL: CVE-2023-52428
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-52428
Release Date: 2024-02-11
Fix Resolution: 9.37.2