mirror of
https://github.com/0xMarcio/cve.git
synced 2025-12-14 20:08:44 +00:00
977 B
977 B
CVE-2017-12974
Description
Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.
POC
Reference
f3a7a801f0- https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve
- https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt
Github
No PoCs found on GitHub currently.