{"id":"CVE-2017-12972","details":"In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.","aliases":["GHSA-2qp9-wg27-9pcv"],"modified":"2025-11-14T05:01:49.820244Z","published":"2017-08-20T16:29:00.237Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"},{"type":"ADVISORY","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c"},{"type":"FIX","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc"},{"type":"ADVISORY","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/connect2id/nimbus-jose-jwt","events":[{"introduced":"0"},{"fixed":"0d2bd649ea386539220d4facfe1f65eb1dadb86c"}]}],"versions":["2.0","2.0.1","2.1","2.1.1","2.10","2.10.1","2.11.0","2.12.0","2.13.0","2.13.1","2.14.0","2.15.0","2.15.1","2.15.2","2.16","2.17","2.17.1","2.17.2","2.18","2.18.1","2.18.2","2.19","2.19.1","2.2","2.20","2.21","2.22","2.22.1","2.23","2.24","2.25","2.26","2.26.1","2.3","2.4","2.5","2.6","2.7","2.8","2.9","3.0","3.1","3.1.1","3.1.2","3.10","3.2","3.2.1","3.2.2","3.3","3.4","3.5","3.6","3.7","3.8","3.8.1","3.8.2","3.9","3.9.1","3.9.2","4.0","4.0-rc1","4.0-rc2","4.0-rc3","4.0-rc4","4.0.1","4.1","4.1.1","4.10","4.11","4.11.1","4.11.2","4.12","4.13.1","4.14","4.15","4.15.1","4.16","4.16.1","4.16.2","4.17","4.18","4.19","4.2","4.20","4.21","4.22","4.23","4.24","4.25","4.26","4.26.1","4.27","4.27.1","4.28","4.29","4.3","4.3.1","4.30","4.31.1","4.32","4.33","4.34","4.34.1","4.34.2","4.35","4.36","4.36.1","4.37","4.37.1","4.38","4.4","4.5","4.6","4.7","4.8","4.9"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["168737763824720600879208904081502951545","302567068559763296819114101514944017815","230869455070445968182594749778657341675","283935422213370696407798878291984490947","315665346146488759464290514101678114000","199114374991634250325189251898026238432","329395400188898088948366080947006100789"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-011c9f1e","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/RSA1_5.java"}},{"digest":{"function_hash":"268383303490108261703502224559116684261","length":73},"deprecated":false,"signature_type":"Function","id":"CVE-2017-12972-24209499","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/jwk/OctetSequenceKey.java","function":"size"}},{"digest":{"threshold":0.9,"line_hashes":["237706141522443329892358720866463998438","324010941776266364390120152883005911783","243076908048097007417633745113335229211","90092983308114395773940124960991546178","298837952353261299150420403494590187018","282360178354435980873742188674850035098","70018380420855359861466606240521456096","263259739511378256223257868817627381738","294221454441061468944461007536954228932"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-2dea60f6","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/AAD.java"}},{"digest":{"threshold":0.9,"line_hashes":["307700605187138687526984698875500074150","24969852970028678038490162687253090186","179287720149843692598401002699231307295","8611822431368367361956550746277118573","139846294648089010547716477717108683346","42428330065101331924202698488332969968","61576523446879651083235913902398372676","283543066535150811598091479227484072107","332603698936186730139759600804147020953","86723057084435517126927788261714495506","33730488403011083972651898334373226912","106429779004582307873726401793362390070"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-3ad8ef96","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/test/java/com/nimbusds/jose/crypto/AADTest.java"}},{"digest":{"threshold":0.9,"line_hashes":["150896086058429499327501026347678103958","127227738995467194781179690314379375695","109334578001973239677475579002706154918","336999666330873705279848479680841962450","182380943961269966997496840307966289291","72828264218771395126176260508692903621","190569358059299257518815577580690324400"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-5c14192b","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/DirectEncrypter.java"}},{"digest":{"threshold":0.9,"line_hashes":["232888998697217806484311424362040604452","79563156495832145290587017112322441021","57946194883724050587184835140952264331","237123529249827582402158178937164550961","95024887126792259353084271672438692852","154281180036102263906323916576001154449","181608596495438708160370960987593189150","202145710558911091547703732526024783225","96273157581862057232781848170114863430","183482483933182757021870555633110767476","184555146199255596600264346691601187703","182377197255264686783348993894973183374","331917177960713445851749380386340760277"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-72fa0533","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/jwk/RSAKey.java"}},{"digest":{"threshold":0.9,"line_hashes":["268654735462253415356359022392147155873","232888998697217806484311424362040604452","79563156495832145290587017112322441021","57946194883724050587184835140952264331","237123529249827582402158178937164550961","151689390433282551718270747285611477113","335741726761475986209462109989453655687","147675954362977689294816009667525421102","30846833992337196048724994863608773527","213706348147894701945892572411881840022","299034758898565177812571422997448420951","232147838900057129397269575162405640879","135539528210154176132208467093808773800"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-804e0816","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/jwk/OctetSequenceKey.java"}},{"digest":{"function_hash":"137372075645284302827252804517773606637","length":73},"deprecated":false,"signature_type":"Function","id":"CVE-2017-12972-82725d3c","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/jwk/RSAKey.java","function":"size"}},{"digest":{"function_hash":"267913083107651721422318958924185504600","length":115},"deprecated":false,"signature_type":"Function","id":"CVE-2017-12972-8a14cdd9","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/test/java/com/nimbusds/jose/crypto/AESCBCTest.java","function":"testAADLengthComputation"}},{"digest":{"function_hash":"94467738440777304089185681095782348238","length":284},"deprecated":false,"signature_type":"Function","id":"CVE-2017-12972-ae576bd1","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/ContentCryptoProvider.java","function":"checkCEKLength"}},{"digest":{"threshold":0.9,"line_hashes":["84137067322283839825205822337526037356","278313541754829900208913014945198541762","40687950734415644437241196116501371385","309755736367940573768786425536160193776","328153018022980147790503304506065256713"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-b68ae730","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/test/java/com/nimbusds/jose/util/ByteUtilsTest.java"}},{"digest":{"threshold":0.9,"line_hashes":["32383480734683772536912283883661482549","216183336963785789442048893996803442691","114014675732776626528332206495647595813","335432703739897809560418464042010493720","177774681975823394080592514139954930476","16455260380068284860945001983399601244","85456155979618242410953811571445311300","168536106393098167052569216829529988157","191605060509175831442191922384617015845"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-b6e85c3f","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/util/ByteUtils.java"}},{"digest":{"threshold":0.9,"line_hashes":["279302843528326554557395779506297631570","68837334235864258222044474136335456340","14262115020304873918660516344339697224","320447986941090818350865767914465061256","257738106142193723590480276808990837124","147420188732514315990170903786702376838","244474157375498520664360424264483525082","19338943929966105697940344933697594977","12598856043775227817307074258382927073","192838745515398581135225500166610643490","8411702802549003874773765885069598031"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-c2d6fbea","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/test/java/com/nimbusds/jose/crypto/AESCBCTest.java"}},{"digest":{"threshold":0.9,"line_hashes":["95259769531966343370169011042469545778","257133433690831533093581837775348808804","107437025294458820614269312001728618560","283582744454872804025211391269006162651","246141335718094425881400271907242195317","29152429034532573818640305328156727177","11528336840115380978760453684157222839","28029004616166714415717697844510934052","45613031604441494655983829612457768411","99648038163444886854229346973211594848","65175936860579601752440798113899978688","151003580201633903155967224232462771249","5886689539007511441959001973513702650","98628318771706111378454557187162171481"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-c935ca8c","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/AESGCM.java"}},{"digest":{"threshold":0.9,"line_hashes":["134176139255843890709851474652080540785","118782986781672275840820227666649687813","48256242829436966584423552467560703096","37836057034549784497731361307909413673","255407985008534538776295696780966296583","46007123076665221255259311660713187660","141069446923907567482496672188234344416","4953700867941580088919641085798716583"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-cc91d1c5","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/AESGCMKW.java"}},{"digest":{"threshold":0.9,"line_hashes":["266893018196631136950273847994494902683","191641946806963940745159115067211258624","204796056270814204710025734827567361375","174426886261901122973475139626211048955","123452958859067139486843269833187153778","174853788021889295719684031803472998576","297142065400076201898476165046906206534"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-d47c50ca","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/ConcatKDF.java"}},{"digest":{"function_hash":"100707433899611702456899907145320633374","length":189},"deprecated":false,"signature_type":"Function","id":"CVE-2017-12972-d8d4b29b","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/test/java/com/nimbusds/jose/crypto/AADTest.java","function":"testComputeLength"}},{"digest":{"function_hash":"228020516826701200730953980111888843899","length":172},"deprecated":false,"signature_type":"Function","id":"CVE-2017-12972-ded43979","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/AAD.java","function":"computeLength"}},{"digest":{"threshold":0.9,"line_hashes":["21078211937174734458409276243274658789","9054285039619540650250959310326978414","110790819663157139460163652315939708175","318563159160044263657243974140529051330","166623452206966797920479389368044042129","66650317482681101803477134811190238077","100703764894263545152527047161148048091","195910674511004964607185451722007867276","321084376093164699119978281208940155466","20034503063849651181797521532235023068","50591532102752121908100632827925341841","206442105900636551799483067050019565663","56139014125121889705006378212480633149","41994352155316152330082366379179913796","235895357285667647191150425397721687714","20146359414023215387532113750223017983","60593320749049224087091673334326713096","47830335370856090526656187295043278372","300337235259036803181669253853221169741","238311798553611672698954646334488254059","321031733456861818975867169638620113766","71278082356427553430566389092756273047","203722826027740314310702846623001881372","178937064782926496451214249959364601087","167322751413677435254802986151845803700","155021759869974681348123774703751762208","80067225297656631308390832034345759315","312551636305492808249854060299306503683","252823809645143649110428980317899620534","149295184096783766341460884248699973350","259146910671245054513012657843509219047","62514117691234732922398646652092393319","46483711304005348015602044559479327401","111099870746539484772180212841322540767","316998462883691420287048371661179770505","220123158629717857665245215489471566311","187788301802847784982489370104293444034","325179086650008004040331266621952025355"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-e92a4703","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/AESEncrypter.java"}},{"digest":{"threshold":0.9,"line_hashes":["319815675751253864862173705361896348005","253594595926899038914310697694472436084","281806858831644348303557717058875824715","287895574698526860124967684305276559685","185575127317553460140722231693227824343","122833615529194558579199571139619496822","193473439597586093868069737916981839122","292357082084983187564286185051924125907","107253612107574492488894243735779009496"]},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12972-ebf963b5","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","signature_version":"v1","target":{"file":"src/main/java/com/nimbusds/jose/crypto/ContentCryptoProvider.java"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12972.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}