{"id":"CVE-2017-12972","details":"In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when converting length values from bytes to bits, which allows attackers to conduct HMAC bypass attacks by shifting Additional Authenticated Data (AAD) and ciphertext so that different plaintext is obtained for the same HMAC.","aliases":["GHSA-2qp9-wg27-9pcv"],"modified":"2026-03-15T14:25:05.117812Z","published":"2017-08-20T16:29:00.237Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"},{"type":"ADVISORY","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt"},{"type":"ADVISORY","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c"},{"type":"FIX","url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://bitbucket.org/connect2id/nimbus-jose-jwt","events":[{"introduced":"0"},{"last_affected":"f46fe5204828a77b7a7c34977de9284e0da26085"},{"introduced":"0"},{"last_affected":"c39fd533e1a2afb0dbf3a0a80cc7e133df3503cd"},{"introduced":"0"},{"last_affected":"16938e48a683842bb4a8cf81344a08c8d02af101"},{"introduced":"0"},{"last_affected":"42096005870f2be0840d17af510d21b1f9d95648"},{"introduced":"0"},{"last_affected":"bcb78841651aaac220a3c857309e0d02f393325a"},{"introduced":"0"},{"last_affected":"d0f284444dc96e76b4d992f8da15c25c9f3fec6d"},{"introduced":"0"},{"last_affected":"64d6763c2b504d63d2ec7cccbfd86a3d8c36937f"},{"introduced":"0"},{"last_affected":"3707387db908239bee2f6c437e5796ab392eb532"},{"introduced":"0"},{"last_affected":"8744df687643f441ca1235ca63be3fa622feba9a"},{"introduced":"0"},{"last_affected":"a739a00e9de30d7e75467f53e1c21e99e89f5a41"},{"introduced":"0"},{"last_affected":"46b6438a020b96e0d4551213fb499ebd8d6ec1c0"},{"introduced":"0"},{"last_affected":"ea357274a93e803015e4affffa564dec3fba4cde"},{"introduced":"0"},{"last_affected":"b0774608c16bff268b713ab471688ec98bcee078"},{"introduced":"0"},{"last_affected":"99cc3fc18c1d4ef0091a715c846cc4f4d10ad88a"},{"introduced":"0"},{"last_affected":"8ff584e4f40101d673784c6d85fe6d9c369fc2e0"},{"introduced":"0"},{"last_affected":"0ff01e2c9939c902905e388e88e5e561bda27cc7"},{"introduced":"0"},{"last_affected":"89971de57e3521b1b65ea136f44453d6d71cc841"},{"introduced":"0"},{"last_affected":"6b32baa2a3611472549f80af91a6e75787040fcb"},{"introduced":"0"},{"last_affected":"3f3cec6645e80faf09df40ac0132bf0b7ce156be"},{"introduced":"0"},{"last_affected":"f3ad809ddf50b1442640f5cd2308eae803b566f4"},{"introduced":"0"},{"last_affected":"8b9add2057f35df26556c8b8dd2434a216bf3a87"},{"introduced":"0"},{"last_affected":"3c79413f21d429d47bb3f4cee22574e31a382204"},{"introduced":"0"},{"last_affected":"ecf4111cf11dcaa44430c45fc35a8149cfd90e82"},{"introduced":"0"},{"last_affected":"e53958565dea00420769661ed94ca3e7133e8c04"},{"introduced":"0"},{"last_affected":"17bf7e98cb6b13b3d11461d422a27381fc371fe9"},{"introduced":"0"},{"last_affected":"ee07c609f8aa625e48cb5a9455455125b929723a"},{"introduced":"0"},{"last_affected":"073aeaf2bcad47904eb49544ec147d680f3fe8a0"},{"introduced":"0"},{"last_affected":"80a8ba9b533d3b6886ee01f53cc8c295b29683ab"},{"introduced":"0"},{"last_affected":"bfd51549672b45c4393d2a430f451df608220f39"},{"introduced":"0"},{"last_affected":"ed2ded2e2735994daef84cf83fdd0af361a3ba4f"},{"introduced":"0"},{"last_affected":"fcd1704e82f2bfeacd2914d4b5cb00475f57de2b"},{"introduced":"0"},{"last_affected":"5e704b9d55f52b89d33012391fae0ebbbf70673b"},{"introduced":"0"},{"last_affected":"6d864f89c7e74c28e5e6444bdf29fc51047f080c"},{"introduced":"0"},{"last_affected":"2ba1a1d09b25a7604eefc051edfea3961512d30a"},{"introduced":"0"},{"last_affected":"0c54cb1a4803fe78c1ea1c73b6ed5860fb62b43e"},{"introduced":"0"},{"last_affected":"9a2d296c9b794822df310d626855dfaf4797f14d"},{"introduced":"0"},{"last_affected":"1b532214deddd34239fe4d2ae06939d17dcef80e"},{"introduced":"0"},{"last_affected":"e9aa051ded07a045f86ea551b98b6751d751fa72"},{"introduced":"0"},{"last_affected":"4e862c3859d3e9e31722eff6d8155650b2e545f3"},{"introduced":"0"},{"last_affected":"8783eab65f9c16fe7feed35c49b5e3a94fc3601a"},{"introduced":"0"},{"last_affected":"671e13555f637ea2c5b33187a23cac9dff9d87c7"},{"introduced":"0"},{"last_affected":"b41f8774365bd6aacc69093c0ca648ebbbb7fdca"},{"introduced":"0"},{"last_affected":"362f0c7a86b4397a10139b48774d12ab113d27a3"},{"introduced":"0"},{"last_affected":"0fd8dfb7f0f722b279dad214cecb876ca5fca91c"},{"introduced":"0"},{"last_affected":"ab79d723cb62794a96aa542786e4c282f7bc4cfd"},{"introduced":"0"},{"last_affected":"73d2710e7c56472106a90982a2a135de761135f8"},{"introduced":"0"},{"last_affected":"afb5226b9f8b3ed6fc8aca3494d1fd472eb36d1d"},{"introduced":"0"},{"last_affected":"295c5034658416df2312871bc0b0af1f4475f35f"},{"introduced":"0"},{"last_affected":"ac9ba30a377bcd1e040ee458bffabb17f5d85772"},{"introduced":"0"},{"last_affected":"842cd224f595c1fb8f4db418ba66f6925ee6d70b"},{"introduced":"0"},{"last_affected":"0e91d9799a42dc5e6638a897e962414b31c25c86"},{"introduced":"0"},{"last_affected":"90a838f74ff7856965673d93ae83befb9d80d1e9"},{"introduced":"0"},{"last_affected":"9f3faa7e046846ab56d011f11c09dcf53e26decb"},{"introduced":"0"},{"last_affected":"991ecab39ee43dcfa5f5e91f2948d62c5cc01a91"},{"introduced":"0"},{"last_affected":"e264ae0de8e66ff7614c3c364e81fb5bccd9ce45"},{"introduced":"0"},{"last_affected":"544cff98876459ff03c324b2c56ab9e35791ae4c"},{"introduced":"0"},{"last_affected":"89fc3c25a4a1e65258b6a30691077cd92e49ec14"},{"introduced":"0"},{"last_affected":"cd53f212222ccb998d8bf6d8d2b13a3b02a1c9bf"},{"introduced":"0"},{"last_affected":"c0e3e41c12a3e4359c634f0cf267520c5e862117"},{"introduced":"0"},{"last_affected":"a527b228ad299b94ef13697d59d15261fdbfea01"},{"introduced":"0"},{"last_affected":"8506d379b4575652b1b0870299aeffc3364927c3"},{"introduced":"0"},{"last_affected":"83cf2551766628a8ad3718ff71bf2557aab2825a"},{"introduced":"0"},{"last_affected":"2fbdbdb2f35e21178ae60bbfe57224c8fa5e4b0e"},{"introduced":"0"},{"last_affected":"849830f9cfbda8c4a3025b2d77c5609bb8f24772"},{"introduced":"0"},{"last_affected":"31822f1a9992909548360eddff96032c6c4fc7a0"},{"introduced":"0"},{"last_affected":"db580fd45d2c19b315a3fc3ccaabcd7442568bc5"},{"introduced":"0"},{"last_affected":"6d22bc70ae407d4d0e7983e741111e8988b429a4"},{"introduced":"0"},{"last_affected":"d455801bc959b66240d265472f3bf768c2fffbf8"},{"introduced":"0"},{"last_affected":"e065e6a13e7bdd3797f20750f0d25e38e0eb2d8e"},{"introduced":"0"},{"last_affected":"492cd4bc6a2068e601971332966d3e6b0aef3656"},{"introduced":"0"},{"last_affected":"c3020ab6b3b5329492d4ca28818595a8070e8ccd"},{"introduced":"0"},{"last_affected":"4b57f15e1dfa5d8c3d94500d46e1c09c78d94965"},{"introduced":"0"},{"last_affected":"0c03dfef56d0d748c8121a89f54efdc7754882ea"},{"introduced":"0"},{"last_affected":"f4ad6a5e0529cdcff2757d2b55cd89fe82b307a5"},{"introduced":"0"},{"last_affected":"5bc8ad03cd121d8fd502a5c82383410ddd8dfca8"},{"introduced":"0"},{"last_affected":"ebb9336616bdb51ac8d464d57a9d41ce3ecc7f5a"},{"introduced":"0"},{"last_affected":"a67eb00fd3b6cda5d74bace244b579a53c5000fe"},{"introduced":"0"},{"last_affected":"7214a423200134cdc4aee7a70dd0b0e33bd7e675"},{"introduced":"0"},{"last_affected":"c869160f4fccd63fa6442b26a478ae7aca17e763"},{"introduced":"0"},{"last_affected":"0f9af30697a8c706358a9e46f45cbbdcb081c995"},{"introduced":"0"},{"last_affected":"3810eb0a96565e7768cd54bf734dfea373ecc561"},{"introduced":"0"},{"last_affected":"106881b20a2969dc0dcc55a742a78b049cf4b5f3"},{"introduced":"0"},{"last_affected":"1e4f0d2f4ed50186548ca32b502243cb5508d264"},{"introduced":"0"},{"last_affected":"e7b8d6657370994005e27e58025eb90e8a6b098f"},{"introduced":"0"},{"last_affected":"a86e92a106173a2b012a1ded20fc69f4971afdf1"},{"introduced":"0"},{"last_affected":"f03742e505a739acf6261afaeee8b19a27e1c6f1"},{"introduced":"0"},{"last_affected":"fd21bb3bb4454a56ed672c0ffafb5fa0c55d43b8"},{"introduced":"0"},{"last_affected":"f0a173620065f366778630ee039aa2a1a76c3f4d"},{"introduced":"0"},{"last_affected":"7928a228f94161f152a3a955b8f471324b0511f3"},{"introduced":"0"},{"last_affected":"a90c7f219778f2a70957d6d86af54425a1a157c5"},{"introduced":"0"},{"last_affected":"87d0c1d6b653a365cd3c6ffee03d5d5fcd30e70d"},{"introduced":"0"},{"last_affected":"bf723cd790e03cb23b0f4d0a7315d3458ebc42eb"},{"introduced":"0"},{"last_affected":"3589f86cbea7ab2f2c9f0b4fe644c7a860bd86f4"},{"introduced":"0"},{"last_affected":"9cae02ca2b5735559fdebfdca945053cd7c10a70"},{"introduced":"0"},{"last_affected":"66f8d476bb1b705544767069b939171baac3482e"},{"introduced":"0"},{"last_affected":"80db8e6cdaaddce71fb78d17d2cb08707006acd0"},{"introduced":"0"},{"last_affected":"1912aef94251e54a45b8f28b86c75fbe7fa6c860"},{"introduced":"0"},{"last_affected":"70414de2c00a0628dae538654d9094122014f2e7"},{"introduced":"0"},{"last_affected":"ee2317efcec38d03517e6e95be84b038ffd7a526"},{"introduced":"0"},{"last_affected":"ebf1347b70056b25b6e135c2996c3ce6a154a0a1"},{"introduced":"0"},{"last_affected":"009022104cae4f5cb28b919b6828d95ae883c669"},{"introduced":"0"},{"last_affected":"74c82682fd98d6f2dffd51395cdeadffc4a220e4"},{"introduced":"0"},{"last_affected":"74c82682fd98d6f2dffd51395cdeadffc4a220e4"},{"introduced":"0"},{"last_affected":"53eb866d2ef01ccc36e6ef891765244eaae18857"},{"introduced":"0"},{"last_affected":"1baeb60744db3802777ddb7893392f0da6a57967"},{"introduced":"0"},{"last_affected":"8b65b0da5f0e4f0999b88fa797f103e44f9d88a2"},{"introduced":"0"},{"last_affected":"c17067f1b75dbd6d112c4462daedbec19b948ea7"},{"introduced":"0"},{"last_affected":"db122fb5d1833922c78c0e7028827435de00b964"},{"introduced":"0"},{"last_affected":"a33e4cda470bdd8d33d7074d4ed5ab721297e514"},{"introduced":"0"},{"last_affected":"2097539c2fbb25e1ecbdd133dcf5e37fd78ade47"},{"introduced":"0"},{"last_affected":"b5f4e693e8ca8a96b0e1e8e5059467a96bb0eaba"},{"introduced":"0"},{"last_affected":"45fdecef2e282567764e44311b50bbc86ff6924f"},{"introduced":"0"},{"last_affected":"fb7850e081d2f04b889dec3e1d18f5bbc45c7f23"},{"fixed":"0d2bd649ea386539220d4facfe1f65eb1dadb86c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.0"},{"introduced":"0"},{"last_affected":"2.0.1"},{"introduced":"0"},{"last_affected":"2.1"},{"introduced":"0"},{"last_affected":"2.1.1"},{"introduced":"0"},{"last_affected":"2.2"},{"introduced":"0"},{"last_affected":"2.3"},{"introduced":"0"},{"last_affected":"2.4"},{"introduced":"0"},{"last_affected":"2.5"},{"introduced":"0"},{"last_affected":"2.6"},{"introduced":"0"},{"last_affected":"2.7"},{"introduced":"0"},{"last_affected":"2.8"},{"introduced":"0"},{"last_affected":"2.9"},{"introduced":"0"},{"last_affected":"2.10"},{"introduced":"0"},{"last_affected":"2.10.1"},{"introduced":"0"},{"last_affected":"2.11.0"},{"introduced":"0"},{"last_affected":"2.12.0"},{"introduced":"0"},{"last_affected":"2.13.0"},{"introduced":"0"},{"last_affected":"2.13.1"},{"introduced":"0"},{"last_affected":"2.14"},{"introduced":"0"},{"last_affected":"2.15"},{"introduced":"0"},{"last_affected":"2.15.1"},{"introduced":"0"},{"last_affected":"2.15.2"},{"introduced":"0"},{"last_affected":"2.16"},{"introduced":"0"},{"last_affected":"2.17"},{"introduced":"0"},{"last_affected":"2.17.1"},{"introduced":"0"},{"last_affected":"2.17.2"},{"introduced":"0"},{"last_affected":"2.18"},{"introduced":"0"},{"last_affected":"2.18.1"},{"introduced":"0"},{"last_affected":"2.18.2"},{"introduced":"0"},{"last_affected":"2.19"},{"introduced":"0"},{"last_affected":"2.19.1"},{"introduced":"0"},{"last_affected":"2.20"},{"introduced":"0"},{"last_affected":"2.21"},{"introduced":"0"},{"last_affected":"2.22"},{"introduced":"0"},{"last_affected":"2.22.1"},{"introduced":"0"},{"last_affected":"2.23"},{"introduced":"0"},{"last_affected":"2.24"},{"introduced":"0"},{"last_affected":"2.25"},{"introduced":"0"},{"last_affected":"2.26"},{"introduced":"0"},{"last_affected":"2.26.1"},{"introduced":"0"},{"last_affected":"3.0"},{"introduced":"0"},{"last_affected":"3.1"},{"introduced":"0"},{"last_affected":"3.1.1"},{"introduced":"0"},{"last_affected":"3.1.2"},{"introduced":"0"},{"last_affected":"3.2"},{"introduced":"0"},{"last_affected":"3.2.1"},{"introduced":"0"},{"last_affected":"3.2.2"},{"introduced":"0"},{"last_affected":"3.3"},{"introduced":"0"},{"last_affected":"3.4"},{"introduced":"0"},{"last_affected":"3.5"},{"introduced":"0"},{"last_affected":"3.6"},{"introduced":"0"},{"last_affected":"3.7"},{"introduced":"0"},{"last_affected":"3.8"},{"introduced":"0"},{"last_affected":"3.8.1"},{"introduced":"0"},{"last_affected":"3.8.2"},{"introduced":"0"},{"last_affected":"3.9"},{"introduced":"0"},{"last_affected":"3.9.1"},{"introduced":"0"},{"last_affected":"3.9.2"},{"introduced":"0"},{"last_affected":"3.10"},{"introduced":"0"},{"last_affected":"4.0"},{"introduced":"0"},{"last_affected":"4.0.1"},{"introduced":"0"},{"last_affected":"4.1"},{"introduced":"0"},{"last_affected":"4.1.1"},{"introduced":"0"},{"last_affected":"4.2"},{"introduced":"0"},{"last_affected":"4.3"},{"introduced":"0"},{"last_affected":"4.3.1"},{"introduced":"0"},{"last_affected":"4.4"},{"introduced":"0"},{"last_affected":"4.5"},{"introduced":"0"},{"last_affected":"4.6"},{"introduced":"0"},{"last_affected":"4.7"},{"introduced":"0"},{"last_affected":"4.8"},{"introduced":"0"},{"last_affected":"4.9"},{"introduced":"0"},{"last_affected":"4.10"},{"introduced":"0"},{"last_affected":"4.11"},{"introduced":"0"},{"last_affected":"4.11.1"},{"introduced":"0"},{"last_affected":"4.11.2"},{"introduced":"0"},{"last_affected":"4.12"},{"introduced":"0"},{"last_affected":"4.13"},{"introduced":"0"},{"last_affected":"4.13.1"},{"introduced":"0"},{"last_affected":"4.14"},{"introduced":"0"},{"last_affected":"4.15"},{"introduced":"0"},{"last_affected":"4.15.1"},{"introduced":"0"},{"last_affected":"4.16"},{"introduced":"0"},{"last_affected":"4.16.1"},{"introduced":"0"},{"last_affected":"4.16.2"},{"introduced":"0"},{"last_affected":"4.17"},{"introduced":"0"},{"last_affected":"4.18"},{"introduced":"0"},{"last_affected":"4.19"},{"introduced":"0"},{"last_affected":"4.20"},{"introduced":"0"},{"last_affected":"4.21"},{"introduced":"0"},{"last_affected":"4.22"},{"introduced":"0"},{"last_affected":"4.23"},{"introduced":"0"},{"last_affected":"4.24"},{"introduced":"0"},{"last_affected":"4.25"},{"introduced":"0"},{"last_affected":"4.26"},{"introduced":"0"},{"last_affected":"4.26.1"},{"introduced":"0"},{"last_affected":"4.27"},{"introduced":"0"},{"last_affected":"4.27.1"},{"introduced":"0"},{"last_affected":"4.28"},{"introduced":"0"},{"last_affected":"4.29"},{"introduced":"0"},{"last_affected":"4.30"},{"introduced":"0"},{"last_affected":"4.31"},{"introduced":"0"},{"last_affected":"4.31.1"},{"introduced":"0"},{"last_affected":"4.32"},{"introduced":"0"},{"last_affected":"4.33"},{"introduced":"0"},{"last_affected":"4.34"},{"introduced":"0"},{"last_affected":"4.34.1"},{"introduced":"0"},{"last_affected":"4.34.2"},{"introduced":"0"},{"last_affected":"4.35"},{"introduced":"0"},{"last_affected":"4.36.1"},{"introduced":"0"},{"last_affected":"4.37"},{"introduced":"0"},{"last_affected":"4.37.1"},{"introduced":"0"},{"last_affected":"4.38"}]}}],"versions":["2.0","2.0.1","2.1","2.1.1","2.10","2.10.1","2.11.0","2.12.0","2.13.0","2.13.1","2.14.0","2.15.0","2.15.1","2.15.2","2.16","2.17","2.17.1","2.17.2","2.18","2.18.1","2.18.2","2.19","2.19.1","2.2","2.20","2.21","2.22","2.22.1","2.23","2.24","2.25","2.26","2.26.1","2.3","2.4","2.5","2.6","2.7","2.8","2.9","3.0","3.1","3.1.1","3.1.2","3.10","3.2","3.2.1","3.2.2","3.3","3.4","3.5","3.6","3.7","3.8","3.8.1","3.8.2","3.9","3.9.1","3.9.2","4.0","4.0-rc1","4.0-rc2","4.0-rc3","4.0-rc4","4.0.1","4.1","4.1.1","4.10","4.11","4.11.1","4.11.2","4.12","4.13.1","4.14","4.15","4.15.1","4.16","4.16.1","4.16.2","4.17","4.18","4.19","4.2","4.20","4.21","4.22","4.23","4.24","4.25","4.26","4.26.1","4.27","4.27.1","4.28","4.29","4.3","4.3.1","4.30","4.31.1","4.32","4.33","4.34","4.34.1","4.34.2","4.35","4.36","4.36.1","4.37","4.37.1","4.38","4.4","4.5","4.6","4.7","4.8","4.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12972.json","vanir_signatures":[{"id":"CVE-2017-12972-011c9f1e","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/RSA1_5.java"},"digest":{"line_hashes":["168737763824720600879208904081502951545","302567068559763296819114101514944017815","230869455070445968182594749778657341675","283935422213370696407798878291984490947","315665346146488759464290514101678114000","199114374991634250325189251898026238432","329395400188898088948366080947006100789"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-24209499","signature_type":"Function","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/jwk/OctetSequenceKey.java","function":"size"},"digest":{"function_hash":"268383303490108261703502224559116684261","length":73},"signature_version":"v1"},{"id":"CVE-2017-12972-2dea60f6","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/AAD.java"},"digest":{"line_hashes":["237706141522443329892358720866463998438","324010941776266364390120152883005911783","243076908048097007417633745113335229211","90092983308114395773940124960991546178","298837952353261299150420403494590187018","282360178354435980873742188674850035098","70018380420855359861466606240521456096","263259739511378256223257868817627381738","294221454441061468944461007536954228932"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-3ad8ef96","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/test/java/com/nimbusds/jose/crypto/AADTest.java"},"digest":{"line_hashes":["307700605187138687526984698875500074150","24969852970028678038490162687253090186","179287720149843692598401002699231307295","8611822431368367361956550746277118573","139846294648089010547716477717108683346","42428330065101331924202698488332969968","61576523446879651083235913902398372676","283543066535150811598091479227484072107","332603698936186730139759600804147020953","86723057084435517126927788261714495506","33730488403011083972651898334373226912","106429779004582307873726401793362390070"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-5c14192b","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/DirectEncrypter.java"},"digest":{"line_hashes":["150896086058429499327501026347678103958","127227738995467194781179690314379375695","109334578001973239677475579002706154918","336999666330873705279848479680841962450","182380943961269966997496840307966289291","72828264218771395126176260508692903621","190569358059299257518815577580690324400"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-72fa0533","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/jwk/RSAKey.java"},"digest":{"line_hashes":["232888998697217806484311424362040604452","79563156495832145290587017112322441021","57946194883724050587184835140952264331","237123529249827582402158178937164550961","95024887126792259353084271672438692852","154281180036102263906323916576001154449","181608596495438708160370960987593189150","202145710558911091547703732526024783225","96273157581862057232781848170114863430","183482483933182757021870555633110767476","184555146199255596600264346691601187703","182377197255264686783348993894973183374","331917177960713445851749380386340760277"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-804e0816","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/jwk/OctetSequenceKey.java"},"digest":{"line_hashes":["268654735462253415356359022392147155873","232888998697217806484311424362040604452","79563156495832145290587017112322441021","57946194883724050587184835140952264331","237123529249827582402158178937164550961","151689390433282551718270747285611477113","335741726761475986209462109989453655687","147675954362977689294816009667525421102","30846833992337196048724994863608773527","213706348147894701945892572411881840022","299034758898565177812571422997448420951","232147838900057129397269575162405640879","135539528210154176132208467093808773800"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-82725d3c","signature_type":"Function","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/jwk/RSAKey.java","function":"size"},"digest":{"function_hash":"137372075645284302827252804517773606637","length":73},"signature_version":"v1"},{"id":"CVE-2017-12972-8a14cdd9","signature_type":"Function","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/test/java/com/nimbusds/jose/crypto/AESCBCTest.java","function":"testAADLengthComputation"},"digest":{"function_hash":"267913083107651721422318958924185504600","length":115},"signature_version":"v1"},{"id":"CVE-2017-12972-ae576bd1","signature_type":"Function","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/ContentCryptoProvider.java","function":"checkCEKLength"},"digest":{"function_hash":"94467738440777304089185681095782348238","length":284},"signature_version":"v1"},{"id":"CVE-2017-12972-b68ae730","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/test/java/com/nimbusds/jose/util/ByteUtilsTest.java"},"digest":{"line_hashes":["84137067322283839825205822337526037356","278313541754829900208913014945198541762","40687950734415644437241196116501371385","309755736367940573768786425536160193776","328153018022980147790503304506065256713"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-b6e85c3f","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/util/ByteUtils.java"},"digest":{"line_hashes":["32383480734683772536912283883661482549","216183336963785789442048893996803442691","114014675732776626528332206495647595813","335432703739897809560418464042010493720","177774681975823394080592514139954930476","16455260380068284860945001983399601244","85456155979618242410953811571445311300","168536106393098167052569216829529988157","191605060509175831442191922384617015845"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-c2d6fbea","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/test/java/com/nimbusds/jose/crypto/AESCBCTest.java"},"digest":{"line_hashes":["279302843528326554557395779506297631570","68837334235864258222044474136335456340","14262115020304873918660516344339697224","320447986941090818350865767914465061256","257738106142193723590480276808990837124","147420188732514315990170903786702376838","244474157375498520664360424264483525082","19338943929966105697940344933697594977","12598856043775227817307074258382927073","192838745515398581135225500166610643490","8411702802549003874773765885069598031"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-c935ca8c","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/AESGCM.java"},"digest":{"line_hashes":["95259769531966343370169011042469545778","257133433690831533093581837775348808804","107437025294458820614269312001728618560","283582744454872804025211391269006162651","246141335718094425881400271907242195317","29152429034532573818640305328156727177","11528336840115380978760453684157222839","28029004616166714415717697844510934052","45613031604441494655983829612457768411","99648038163444886854229346973211594848","65175936860579601752440798113899978688","151003580201633903155967224232462771249","5886689539007511441959001973513702650","98628318771706111378454557187162171481"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-cc91d1c5","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/AESGCMKW.java"},"digest":{"line_hashes":["134176139255843890709851474652080540785","118782986781672275840820227666649687813","48256242829436966584423552467560703096","37836057034549784497731361307909413673","255407985008534538776295696780966296583","46007123076665221255259311660713187660","141069446923907567482496672188234344416","4953700867941580088919641085798716583"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-d47c50ca","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/ConcatKDF.java"},"digest":{"line_hashes":["266893018196631136950273847994494902683","191641946806963940745159115067211258624","204796056270814204710025734827567361375","174426886261901122973475139626211048955","123452958859067139486843269833187153778","174853788021889295719684031803472998576","297142065400076201898476165046906206534"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-d8d4b29b","signature_type":"Function","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/test/java/com/nimbusds/jose/crypto/AADTest.java","function":"testComputeLength"},"digest":{"function_hash":"100707433899611702456899907145320633374","length":189},"signature_version":"v1"},{"id":"CVE-2017-12972-ded43979","signature_type":"Function","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/AAD.java","function":"computeLength"},"digest":{"function_hash":"228020516826701200730953980111888843899","length":172},"signature_version":"v1"},{"id":"CVE-2017-12972-e92a4703","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/AESEncrypter.java"},"digest":{"line_hashes":["21078211937174734458409276243274658789","9054285039619540650250959310326978414","110790819663157139460163652315939708175","318563159160044263657243974140529051330","166623452206966797920479389368044042129","66650317482681101803477134811190238077","100703764894263545152527047161148048091","195910674511004964607185451722007867276","321084376093164699119978281208940155466","20034503063849651181797521532235023068","50591532102752121908100632827925341841","206442105900636551799483067050019565663","56139014125121889705006378212480633149","41994352155316152330082366379179913796","235895357285667647191150425397721687714","20146359414023215387532113750223017983","60593320749049224087091673334326713096","47830335370856090526656187295043278372","300337235259036803181669253853221169741","238311798553611672698954646334488254059","321031733456861818975867169638620113766","71278082356427553430566389092756273047","203722826027740314310702846623001881372","178937064782926496451214249959364601087","167322751413677435254802986151845803700","155021759869974681348123774703751762208","80067225297656631308390832034345759315","312551636305492808249854060299306503683","252823809645143649110428980317899620534","149295184096783766341460884248699973350","259146910671245054513012657843509219047","62514117691234732922398646652092393319","46483711304005348015602044559479327401","111099870746539484772180212841322540767","316998462883691420287048371661179770505","220123158629717857665245215489471566311","187788301802847784982489370104293444034","325179086650008004040331266621952025355"],"threshold":0.9},"signature_version":"v1"},{"id":"CVE-2017-12972-ebf963b5","signature_type":"Line","source":"https://bitbucket.org/connect2id/nimbus-jose-jwt@0d2bd649ea386539220d4facfe1f65eb1dadb86c","deprecated":false,"target":{"file":"src/main/java/com/nimbusds/jose/crypto/ContentCryptoProvider.java"},"digest":{"line_hashes":["319815675751253864862173705361896348005","253594595926899038914310697694472436084","281806858831644348303557717058875824715","287895574698526860124967684305276559685","185575127317553460140722231693227824343","122833615529194558579199571139619496822","193473439597586093868069737916981839122","292357082084983187564286185051924125907","107253612107574492488894243735779009496"],"threshold":0.9},"signature_version":"v1"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.2"}]},{"events":[{"introduced":"0"},{"last_affected":"1.3"}]},{"events":[{"introduced":"0"},{"last_affected":"1.4"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5"}]},{"events":[{"introduced":"0"},{"last_affected":"1.6"}]},{"events":[{"introduced":"0"},{"last_affected":"1.7"}]},{"events":[{"introduced":"0"},{"last_affected":"1.8"}]},{"events":[{"introduced":"0"},{"last_affected":"1.9"}]},{"events":[{"introduced":"0"},{"last_affected":"1.9.1"}]},{"events":[{"introduced":"0"},{"last_affected":"1.10"}]},{"events":[{"introduced":"0"},{"last_affected":"1.11"}]},{"events":[{"introduced":"0"},{"last_affected":"1.12"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}