Invalid Curve Attack in Nimbus JOSE+JWT before 4.36

Invalid Curve Attack in Nimbus JOSE+JWT before 4.36

CVE-2017-12974 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without ensuring that the public x and y coordinates are on the specified curve, which allows attackers to conduct an Invalid Curve Attack in environments where the JCE provider lacks the applicable curve validation.

Learn more about our Web Application Penetration Testing UK.