CVE-2017-12972

Name of the Vulnerable Software and Affected Versions Nimbus JOSE+JWT versions prior to 4.39

Description The issue is related to insufficient authentication data verification in the Nimbus JOSE+JWT library. This allows attackers to conduct HMAC bypass attacks by manipulating Additional Authenticated Data (AAD) and ciphertext, resulting in different plaintext being obtained for the same HMAC. The exploitation of this issue may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information by uploading unauthorized data.

Recommendations For versions prior to 4.39, update to version 4.39 or later to resolve the issue. As a temporary workaround, consider implementing additional authentication data verification mechanisms to minimize the risk of exploitation. Restrict access to sensitive data and ensure that all data uploads are thoroughly validated to prevent unauthorized access.