Vulnerability Name: CVE-2019-17195 (CCN-169514) Assigned: 2019-10-05 Published: 2019-10-05 Updated: 2022-06-07 Summary: Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L 5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): Low
CVSS v2 Severity: 6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): Partial
Vulnerability Type: CWE-755 Vulnerability Consequences: Denial of Service References: Source: MITRECVE-2019-17195 https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/SECURITY-CHANGELOG.txt Nimbus JOSE+JWT 7.9 fixes an unchecked exception vulnerability https://connect2id.com/blog/nimbus-jose-jwt-7-9 Nimbus JOSE+JWT connect2id-cve201917195-dos(169514) [hadoop-common-dev] 20191107 [jira] [Created] (HADOOP-16690) Update dependency com.nimbusds:nimbus-jose-jwt due to security vulnerability [hadoop-common-issues] 20191107 [jira] [Created] (HADOOP-16690) Update dependency com.nimbusds:nimbus-jose-jwt due to security vulnerability [druid-commits] 20210506 [GitHub] [druid] maytasm commented on a change in pull request #11215: Suppressing false positive CVE-2020-7791 [druid-commits] 20210506 [GitHub] [druid] jihoonson commented on a change in pull request #11215: Suppressing false positive CVE-2020-7791 [avro-dev] 20210416 [jira] [Commented] (AVRO-3111) CVE-2019-17195 [druid-commits] 20210507 [druid] branch 0.21.1 updated: Suppressing false positive CVE-2020-7791 (#11215) (#11217) [avro-dev] 20210415 [jira] [Created] (AVRO-3111) CVE-2019-17195 vulnerabilities in Nimbus JOSE+JWT affect IBM Watson Machine Learning Accelerator 1.2.1 Multiple vulnerabilities in dependent libraries affect IBM Db2 leading to denial of service or privilege escalation. Multiple vulnerabilities have been identified in DB2 that affect the IBM Performance Management product IBM Security Guardium is affected by multiple vulnerabilities Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. IBM Db2 Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2 IBM QRadar SIEM is vulnerable to using components with known vulnerabilities Multiple vulnerabilites affect IBM Jazz Foundation and IBM Engineering products. IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities Multiple security vulnerabilities have been identified in IBM DB2 shipped with IBM PureData System for Operational Analytics Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. N/A Oracle Critical Patch Update Advisory - April 2020 N/A Oracle Critical Patch Update Advisory - April 2021 https://www.oracle.com/security-alerts/cpuApr2021.html Oracle Critical Patch Update Advisory - April 2022 https://www.oracle.com/security-alerts/cpuapr2022.html Oracle Critical Patch Update Advisory - January 2021 https://www.oracle.com/security-alerts/cpujan2021.html https://www.oracle.com/security-alerts/cpujan2022.html Oracle Critical Patch Update Advisory - July 2021 Oracle Critical Patch Update Advisory - October 2021 https://www.oracle.com/security-alerts/cpuoct2021.html Vulnerable Configuration: Configuration 1 :cpe:/a:connect2id:nimbus_jose+jwt:*:*:*:*:*:*:*:* (Version < 7.9)Configuration 2 :cpe:/a:apache:hadoop:3.2.1:-:*:*:*:*:*:* Configuration 3 :cpe:/a:oracle:solaris_cluster:4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:* OR cpe:/a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:* OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:*:*:*:*:*:*:*:* (Version >= 18.8.0 and <= 18.8.11) OR cpe:/a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:* OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* (Version <= 9.2.5.3) OR cpe:/a:oracle:policy_automation:*:*:*:*:*:*:*:* (Version >= 12.2.0 and <= 12.2.22) OR cpe:/a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:* OR cpe:/a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:* (Version >= 11.0 and <= 11.3.1) OR cpe:/a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:* (Version <= 9.2.5.3) Configuration CCN 1 :cpe:/a:connect2id:nimbus_jose+jwt:7.8:*:*:*:*:*:*:* AND cpe:/a:ibm:rational_collaborative_lifecycle_management:6.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_doors_next_generation:6.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:* OR cpe:/a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:monitoring:8.1.4:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:* OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:* OR cpe:/a:oracle:primavera_gateway:19.12.0:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_collaborative_lifecycle_management:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:* OR cpe:/a:ibm:rational_doors_next_generation:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:* OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.5:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.6:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.4:*:*:*:*:*:*:* OR cpe:/a:ibm:robotic_process_automation_for_cloud_pak:21.0.0:*:*:*:*:*:*:* BACK
connect2id nimbus jose+jwt *
apache hadoop 3.2.1 -
oracle solaris cluster 4.0
oracle weblogic server 12.2.1.3.0
oracle weblogic server 12.2.1.4.0
oracle peoplesoft enterprise peopletools 8.58
oracle enterprise manager base platform 13.4.0.0
oracle primavera gateway 19.12.0
oracle data integrator 12.2.1.4.0
oracle peoplesoft enterprise peopletools 8.59
oracle primavera gateway *
oracle communications pricing design center 12.0.0.3.0
oracle jd edwards enterpriseone tools *
oracle policy automation *
oracle communications cloud native core security edge protection proxy 1.7.0
oracle insurance policy administration *
oracle healthcare data repository 8.1.0
oracle jd edwards enterpriseone orchestrator *
connect2id nimbus jose+jwt 7.8
ibm rational collaborative lifecycle management 6.0.2
ibm rational doors next generation 6.0.2
ibm db2 11.1
ibm db2 11.1
ibm db2 11.1
oracle weblogic server 12.2.1.3.0
ibm monitoring 8.1.4
ibm qradar security information and event manager 7.3
ibm db2 11.1
ibm db2 11.1
ibm db2 11.1
ibm db2 11.5
ibm db2 11.5
ibm db2 11.5
ibm security guardium 11.0
ibm security guardium 11.1
oracle primavera gateway 19.12.0
ibm rational collaborative lifecycle management 7.0
ibm qradar security information and event manager 7.4 -
ibm rational doors next generation 7.0
ibm db2 11.5
ibm db2 11.5
ibm db2 11.5
ibm robotic process automation for cloud pak 21.0.1
ibm robotic process automation for cloud pak 21.0.2
ibm robotic process automation for cloud pak 21.0.3
ibm robotic process automation for cloud pak 21.0.5
ibm robotic process automation for cloud pak 21.0.6
ibm robotic process automation for cloud pak 21.0.4
ibm robotic process automation for cloud pak 21.0.0
Denotes that component is vulnerable