mirror of
https://github.com/0xMarcio/cve.git
synced 2026-04-12 00:58:33 +02:00
988 B
988 B
CVE-2017-12974
Description
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
POC
Reference
f3a7a801f0- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
Github
No PoCs found on GitHub currently.