{"id":"CVE-2017-12973","details":"Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an invalid HMAC in authenticated AES-CBC decryption, which allows attackers to conduct a padding oracle attack.","aliases":["GHSA-jfmq-4g4m-99rh"],"modified":"2025-11-14T05:01:47.839411Z","published":"2017-08-20T16:29:00.283Z","references":[{"type":"FIX","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/6a29f10f723f406eb25555f55842c59a43a38912"},{"type":"ADVISORY","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/223/aescbc-return-immediately-on-invalid-hmac"},{"type":"ADVISORY","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/connect2id/nimbus-jose-jwt","events":[{"introduced":"0"},{"fixed":"6a29f10f723f406eb25555f55842c59a43a38912"}]}],"versions":["2.0","2.0.1","2.1","2.1.1","2.10","2.10.1","2.11.0","2.12.0","2.13.0","2.13.1","2.14.0","2.15.0","2.15.1","2.15.2","2.16","2.17","2.17.1","2.17.2","2.18","2.18.1","2.18.2","2.19","2.19.1","2.2","2.20","2.21","2.22","2.22.1","2.23","2.24","2.25","2.26","2.26.1","2.3","2.4","2.5","2.6","2.7","2.8","2.9","3.0","3.1","3.1.1","3.1.2","3.10","3.2","3.2.1","3.2.2","3.3","3.4","3.5","3.6","3.7","3.8","3.8.1","3.8.2","3.9","3.9.1","3.9.2","4.0","4.0-rc1","4.0-rc2","4.0-rc3","4.0-rc4","4.0.1","4.1","4.1.1","4.10","4.11","4.11.1","4.11.2","4.12","4.13.1","4.14","4.15","4.15.1","4.16","4.16.1","4.16.2","4.17","4.18","4.19","4.2","4.20","4.21","4.22","4.23","4.24","4.25","4.26","4.26.1","4.27","4.27.1","4.28","4.29","4.3","4.3.1","4.30","4.31.1","4.32","4.33","4.34","4.34.1","4.34.2","4.35","4.36","4.36.1","4.37","4.37.1","4.38","4.4","4.5","4.6","4.7","4.8","4.9"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","digest":{"line_hashes":["36435077182769648824144539200763482764","221225405666008085863157926433643063529","248275944443145673308968769694312607101","320447986941090818350865767914465061256","257738106142193723590480276808990837124","190253527059679348300378316158431539755","15674162120766882722956143379512560123"],"threshold":0.9},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12973-83ba7880","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912","target":{"file":"src/test/java/com/nimbusds/jose/crypto/AESCBCTest.java"}},{"signature_version":"v1","digest":{"length":831,"function_hash":"30873108536757750440668463301508600213"},"deprecated":false,"signature_type":"Function","id":"CVE-2017-12973-8fddb8aa","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912","target":{"function":"decryptAuthenticated","file":"src/main/java/com/nimbusds/jose/crypto/AESCBC.java"}},{"signature_version":"v1","digest":{"length":1109,"function_hash":"236213427891800737982253186864940241476"},"deprecated":false,"signature_type":"Function","id":"CVE-2017-12973-bc84ece8","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912","target":{"function":"decryptWithConcatKDF","file":"src/main/java/com/nimbusds/jose/crypto/AESCBC.java"}},{"signature_version":"v1","digest":{"line_hashes":["35018700141178900754895011799387586413","23210894372056268032297871442564513847","102375337653080225852646387558193098844","143802061001915409894760621002970574355","186448877813480750470093697857407943500","156186524451473883298028680057499734344","314799720785399631741077152447637097045","332890821269199314396999039272601680450","115380475547764836096130112939018077308","112515943459359502487605947776116967647","172612522757869334105109761993727279884","142039361351170592512047791599796892391","95946088047134294800092685466486312825","60152373669270615370440034498579187985","280492070757543771453027851327819029791","221403414440494563007614824018889324485","1894466923688934958026594011629943405","59741151086996169066197142383462513440","233078262287712076948859519221598030403","30861009376071704210913003331615204446","332947917171967944776808918114577282512","18136453160694785944270925616851898192","40475491843953653643162699661677929363","151246875674351598710595633477384636928","322974018495388437913836007418169443313","76069166384751547997871421196598149788","44437097317994459278761123799175645327","277190829670493988396513370163311149761","94546924572782216804672716981269134975","82318690769468239319429518385763591879"],"threshold":0.9},"deprecated":false,"signature_type":"Line","id":"CVE-2017-12973-f4fd57ce","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@6a29f10f723f406eb25555f55842c59a43a38912","target":{"file":"src/main/java/com/nimbusds/jose/crypto/AESCBC.java"}}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12973.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"}]}