CVE-2017-12973

Name of the Vulnerable Software and Affected Versions Nimbus JOSE+JWT versions prior to 4.39

Description The issue is related to the improper handling of an invalid HMAC in authenticated AES-CBC decryption, allowing attackers to conduct a padding oracle attack. This is due to a lack of integrity checking in the HMAC component of the Nimbus JOSE+JWT Java library. Exploitation of this issue may allow a remote attacker to disclose protected information.

Recommendations For versions prior to 4.39, update to version 4.39 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive data until the update is applied.