CVE-2017-12974

Name of the Vulnerable Software and Affected Versions Nimbus JOSE+JWT versions prior to 4.36

Description The issue concerns a problem with the construction of ECKey without proper validation of the public x and y coordinates on the specified curve, allowing for an Invalid Curve Attack in certain environments. This is related to incorrect cryptographic signature verification, which could potentially allow a remote attacker to impact the integrity of information.

Recommendations For versions prior to 4.36, update to version 4.36 or later to resolve the issue. As a temporary workaround, consider implementing additional curve validation checks in the JCE provider to minimize the risk of exploitation. Restrict the use of ECKey construction with unvalidated public x and y coordinates until the update is applied.