Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.
The product does not validate or incorrectly validates the integrity check values or “checksums” of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nimbus_jose+jwt | Connect2id | 1.0 (including) | 1.0 (including) |
| Nimbus_jose+jwt | Connect2id | 1.1 (including) | 1.1 (including) |
| Nimbus_jose+jwt | Connect2id | 1.2 (including) | 1.2 (including) |
| Nimbus_jose+jwt | Connect2id | 1.3 (including) | 1.3 (including) |
| Nimbus_jose+jwt | Connect2id | 1.4 (including) | 1.4 (including) |
| Nimbus_jose+jwt | Connect2id | 1.5 (including) | 1.5 (including) |
| Nimbus_jose+jwt | Connect2id | 1.6 (including) | 1.6 (including) |
| Nimbus_jose+jwt | Connect2id | 1.7 (including) | 1.7 (including) |
| Nimbus_jose+jwt | Connect2id | 1.8 (including) | 1.8 (including) |
| Nimbus_jose+jwt | Connect2id | 1.9 (including) | 1.9 (including) |
| Nimbus_jose+jwt | Connect2id | 1.9.1 (including) | 1.9.1 (including) |
| Nimbus_jose+jwt | Connect2id | 1.10 (including) | 1.10 (including) |
| Nimbus_jose+jwt | Connect2id | 1.11 (including) | 1.11 (including) |
| Nimbus_jose+jwt | Connect2id | 1.12 (including) | 1.12 (including) |
| Nimbus_jose+jwt | Connect2id | 2.0 (including) | 2.0 (including) |
| Nimbus_jose+jwt | Connect2id | 2.0.1 (including) | 2.0.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.1 (including) | 2.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.1.1 (including) | 2.1.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.2 (including) | 2.2 (including) |
| Nimbus_jose+jwt | Connect2id | 2.3 (including) | 2.3 (including) |
| Nimbus_jose+jwt | Connect2id | 2.4 (including) | 2.4 (including) |
| Nimbus_jose+jwt | Connect2id | 2.5 (including) | 2.5 (including) |
| Nimbus_jose+jwt | Connect2id | 2.6 (including) | 2.6 (including) |
| Nimbus_jose+jwt | Connect2id | 2.7 (including) | 2.7 (including) |
| Nimbus_jose+jwt | Connect2id | 2.8 (including) | 2.8 (including) |
| Nimbus_jose+jwt | Connect2id | 2.9 (including) | 2.9 (including) |
| Nimbus_jose+jwt | Connect2id | 2.10 (including) | 2.10 (including) |
| Nimbus_jose+jwt | Connect2id | 2.10.1 (including) | 2.10.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.11.0 (including) | 2.11.0 (including) |
| Nimbus_jose+jwt | Connect2id | 2.12.0 (including) | 2.12.0 (including) |
| Nimbus_jose+jwt | Connect2id | 2.13.0 (including) | 2.13.0 (including) |
| Nimbus_jose+jwt | Connect2id | 2.13.1 (including) | 2.13.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.14 (including) | 2.14 (including) |
| Nimbus_jose+jwt | Connect2id | 2.15 (including) | 2.15 (including) |
| Nimbus_jose+jwt | Connect2id | 2.15.1 (including) | 2.15.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.15.2 (including) | 2.15.2 (including) |
| Nimbus_jose+jwt | Connect2id | 2.16 (including) | 2.16 (including) |
| Nimbus_jose+jwt | Connect2id | 2.17 (including) | 2.17 (including) |
| Nimbus_jose+jwt | Connect2id | 2.17.1 (including) | 2.17.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.17.2 (including) | 2.17.2 (including) |
| Nimbus_jose+jwt | Connect2id | 2.18 (including) | 2.18 (including) |
| Nimbus_jose+jwt | Connect2id | 2.18.1 (including) | 2.18.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.18.2 (including) | 2.18.2 (including) |
| Nimbus_jose+jwt | Connect2id | 2.19 (including) | 2.19 (including) |
| Nimbus_jose+jwt | Connect2id | 2.19.1 (including) | 2.19.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.20 (including) | 2.20 (including) |
| Nimbus_jose+jwt | Connect2id | 2.21 (including) | 2.21 (including) |
| Nimbus_jose+jwt | Connect2id | 2.22 (including) | 2.22 (including) |
| Nimbus_jose+jwt | Connect2id | 2.22.1 (including) | 2.22.1 (including) |
| Nimbus_jose+jwt | Connect2id | 2.23 (including) | 2.23 (including) |
| Nimbus_jose+jwt | Connect2id | 2.24 (including) | 2.24 (including) |
| Nimbus_jose+jwt | Connect2id | 2.25 (including) | 2.25 (including) |
| Nimbus_jose+jwt | Connect2id | 2.26 (including) | 2.26 (including) |
| Nimbus_jose+jwt | Connect2id | 2.26.1 (including) | 2.26.1 (including) |
| Nimbus_jose+jwt | Connect2id | 3.0 (including) | 3.0 (including) |
| Nimbus_jose+jwt | Connect2id | 3.1 (including) | 3.1 (including) |
| Nimbus_jose+jwt | Connect2id | 3.1.1 (including) | 3.1.1 (including) |
| Nimbus_jose+jwt | Connect2id | 3.1.2 (including) | 3.1.2 (including) |
| Nimbus_jose+jwt | Connect2id | 3.2 (including) | 3.2 (including) |
| Nimbus_jose+jwt | Connect2id | 3.2.1 (including) | 3.2.1 (including) |
| Nimbus_jose+jwt | Connect2id | 3.2.2 (including) | 3.2.2 (including) |
| Nimbus_jose+jwt | Connect2id | 3.3 (including) | 3.3 (including) |
| Nimbus_jose+jwt | Connect2id | 3.4 (including) | 3.4 (including) |
| Nimbus_jose+jwt | Connect2id | 3.5 (including) | 3.5 (including) |
| Nimbus_jose+jwt | Connect2id | 3.6 (including) | 3.6 (including) |
| Nimbus_jose+jwt | Connect2id | 3.7 (including) | 3.7 (including) |
| Nimbus_jose+jwt | Connect2id | 3.8 (including) | 3.8 (including) |
| Nimbus_jose+jwt | Connect2id | 3.8.1 (including) | 3.8.1 (including) |
| Nimbus_jose+jwt | Connect2id | 3.8.2 (including) | 3.8.2 (including) |
| Nimbus_jose+jwt | Connect2id | 3.9 (including) | 3.9 (including) |
| Nimbus_jose+jwt | Connect2id | 3.9.1 (including) | 3.9.1 (including) |
| Nimbus_jose+jwt | Connect2id | 3.9.2 (including) | 3.9.2 (including) |
| Nimbus_jose+jwt | Connect2id | 3.10 (including) | 3.10 (including) |
| Nimbus_jose+jwt | Connect2id | 4.0 (including) | 4.0 (including) |
| Nimbus_jose+jwt | Connect2id | 4.0.1 (including) | 4.0.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.1 (including) | 4.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.1.1 (including) | 4.1.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.2 (including) | 4.2 (including) |
| Nimbus_jose+jwt | Connect2id | 4.3 (including) | 4.3 (including) |
| Nimbus_jose+jwt | Connect2id | 4.3.1 (including) | 4.3.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.4 (including) | 4.4 (including) |
| Nimbus_jose+jwt | Connect2id | 4.5 (including) | 4.5 (including) |
| Nimbus_jose+jwt | Connect2id | 4.6 (including) | 4.6 (including) |
| Nimbus_jose+jwt | Connect2id | 4.7 (including) | 4.7 (including) |
| Nimbus_jose+jwt | Connect2id | 4.8 (including) | 4.8 (including) |
| Nimbus_jose+jwt | Connect2id | 4.9 (including) | 4.9 (including) |
| Nimbus_jose+jwt | Connect2id | 4.10 (including) | 4.10 (including) |
| Nimbus_jose+jwt | Connect2id | 4.11 (including) | 4.11 (including) |
| Nimbus_jose+jwt | Connect2id | 4.11.1 (including) | 4.11.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.11.2 (including) | 4.11.2 (including) |
| Nimbus_jose+jwt | Connect2id | 4.12 (including) | 4.12 (including) |
| Nimbus_jose+jwt | Connect2id | 4.13 (including) | 4.13 (including) |
| Nimbus_jose+jwt | Connect2id | 4.13.1 (including) | 4.13.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.14 (including) | 4.14 (including) |
| Nimbus_jose+jwt | Connect2id | 4.15 (including) | 4.15 (including) |
| Nimbus_jose+jwt | Connect2id | 4.15.1 (including) | 4.15.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.16 (including) | 4.16 (including) |
| Nimbus_jose+jwt | Connect2id | 4.16.1 (including) | 4.16.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.16.2 (including) | 4.16.2 (including) |
| Nimbus_jose+jwt | Connect2id | 4.17 (including) | 4.17 (including) |
| Nimbus_jose+jwt | Connect2id | 4.18 (including) | 4.18 (including) |
| Nimbus_jose+jwt | Connect2id | 4.19 (including) | 4.19 (including) |
| Nimbus_jose+jwt | Connect2id | 4.20 (including) | 4.20 (including) |
| Nimbus_jose+jwt | Connect2id | 4.21 (including) | 4.21 (including) |
| Nimbus_jose+jwt | Connect2id | 4.22 (including) | 4.22 (including) |
| Nimbus_jose+jwt | Connect2id | 4.23 (including) | 4.23 (including) |
| Nimbus_jose+jwt | Connect2id | 4.24 (including) | 4.24 (including) |
| Nimbus_jose+jwt | Connect2id | 4.25 (including) | 4.25 (including) |
| Nimbus_jose+jwt | Connect2id | 4.26 (including) | 4.26 (including) |
| Nimbus_jose+jwt | Connect2id | 4.26.1 (including) | 4.26.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.27 (including) | 4.27 (including) |
| Nimbus_jose+jwt | Connect2id | 4.27.1 (including) | 4.27.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.28 (including) | 4.28 (including) |
| Nimbus_jose+jwt | Connect2id | 4.29 (including) | 4.29 (including) |
| Nimbus_jose+jwt | Connect2id | 4.30 (including) | 4.30 (including) |
| Nimbus_jose+jwt | Connect2id | 4.31 (including) | 4.31 (including) |
| Nimbus_jose+jwt | Connect2id | 4.31.1 (including) | 4.31.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.32 (including) | 4.32 (including) |
| Nimbus_jose+jwt | Connect2id | 4.33 (including) | 4.33 (including) |
| Nimbus_jose+jwt | Connect2id | 4.34 (including) | 4.34 (including) |
| Nimbus_jose+jwt | Connect2id | 4.34.1 (including) | 4.34.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.34.2 (including) | 4.34.2 (including) |
| Nimbus_jose+jwt | Connect2id | 4.35 (including) | 4.35 (including) |
| Nimbus_jose+jwt | Connect2id | 4.36.1 (including) | 4.36.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.37 (including) | 4.37 (including) |
| Nimbus_jose+jwt | Connect2id | 4.37.1 (including) | 4.37.1 (including) |
| Nimbus_jose+jwt | Connect2id | 4.38 (including) | 4.38 (including) |