CVE-2019-17195 in dependency com.nimbusds:nimbus-jose-jwt
miraculix-druids opened this issue · 2 comments
miraculix-druids commented
com.microsoft.aad:adal:1.16.3 has a dependency to com.nimbusds:nimbus-jose-jwt:5.7 which has the following vulnerability:
Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.
https://nvd.nist.gov/vuln/detail/CVE-2019-17195
Mitigation: Please update com.nimbusds:nimbus-jose-jwt dependency to v7.9 or newer
iambmelt commented
Thank you @miraculix-druids -- we will ship an updated version in a future release.
Related:
AzureAD/microsoft-authentication-library-common-for-android#705
iambmelt commented
Tracking related: