CVE-2019-17195

Published: Oct 15, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

Affected (18)

Products: Connect2id: Nimbus Jose+jwt · Apache: Hadoop · Oracle: Communications Cloud Native Core Security Edge Protection Proxy, Communications Pricing Design Center, Data Integrator, Enterprise Manager Base Platform, Healthcare Data Repository, Insurance Policy Administration, Jd Edwards Enterpriseone Orchestrator, Jd Edwards Enterpriseone Tools, Peoplesoft Enterprise Peopletools, Policy Automation, Primavera Gateway, Solaris Cluster, Weblogic Server

1 product

Nimbus Jose+jwt

1 product

13 products

Communications Cloud Native Core Security Edge Protection Proxy

Communications Pricing Design Center

Data Integrator

Enterprise Manager Base Platform

Healthcare Data Repository

Insurance Policy Administration

Jd Edwards Enterpriseone Orchestrator

Jd Edwards Enterpriseone Tools

Peoplesoft Enterprise Peopletools

Policy Automation

Primavera Gateway

Solaris Cluster

Weblogic Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Connect2id Nimbus Jose+jwt	Before 7.9

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Apache Hadoop	Version 3.2.1

Configuration C

16 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Cloud Native Core Security Edge Protection Proxy	Version 1.7.0
Oracle Communications Pricing Design Center	Version 12.0.0.3.0
Oracle Data Integrator	Version 12.2.1.4.0
Oracle Enterprise Manager Base Platform	Version 13.4.0.0
Oracle Healthcare Data Repository	Version 8.1.0
Oracle Insurance Policy Administration	From 11.0 to 11.3.1
Oracle Jd Edwards Enterpriseone Orchestrator	Up to 9.2.5.3
Oracle Jd Edwards Enterpriseone Tools	Up to 9.2.5.3
Oracle Peoplesoft Enterprise Peopletools	Version 8.58
Oracle Peoplesoft Enterprise Peopletools	Version 8.59
Oracle Policy Automation	From 12.2.0 to 12.2.22
Oracle Primavera Gateway	From 18.8.0 to 18.8.11
Oracle Primavera Gateway	Version 19.12.0
Oracle Solaris Cluster	Version 4.0
Oracle Weblogic Server	Version 12.2.1.3.0
Oracle Weblogic Server	Version 12.2.1.4.0

Related CWEs

Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

References (32)

https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt

Source: cve@mitre.org

Release NotesThird Party Advisory

https://connect2id.com/blog/nimbus-jose-jwt-7-9

Source: cve@mitre.org

Release NotesVendor Advisory

https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d%40%3Ccommon-dev.hadoop.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41%40%3Ccommon-issues.hadoop.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a%40%3Cdev.avro.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98%40%3Cdev.avro.apache.org%3E

Source: cve@mitre.org

https://www.oracle.com//security-alerts/cpujul2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Source: cve@mitre.org

Not Applicable

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://connect2id.com/blog/nimbus-jose-jwt-7-9

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://lists.apache.org/thread.html/8768553cda5838f59ee3865cac546e824fa740e82d9dc2a7fc44e80d%40%3Ccommon-dev.hadoop.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/e10d43984f39327e443e875adcd4a5049193a7c010e81971908caf41%40%3Ccommon-issues.hadoop.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r2667286c8ceffaf893b16829b9612d8f7c4ee6b30362c6c1b583e3c2%40%3Ccommits.druid.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r33dc233634aedb04fa77db3eb79ea12d15ca4da89fa46a1c585ecb0b%40%3Ccommits.druid.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r35f6301a3e6a56259224786dd9c2a935ba27ff6b494d15a3b66efe6a%40%3Cdev.avro.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r5e08837e695efd36be73510ce58ec05785dbcea077819d8acc2d990d%40%3Ccommits.druid.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rcac26c2d4df22341fa6ebbfe93ba1eff77d2dcd3f6106a1dc1f9ac98%40%3Cdev.avro.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.oracle.com//security-alerts/cpujul2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

Not Applicable

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.