CVE-2019-17195 in dependency com.nimbusds:nimbus-jose-jwt

Question

CVE-2019-17195 in dependency com.nimbusds:nimbus-jose-jwt

miraculix-druids opened this issue 5 years ago · 2 comments

com.microsoft.aad:adal:1.16.3 has a dependency to com.nimbusds:nimbus-jose-jwt:5.7 which has the following vulnerability:

Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.

https://nvd.nist.gov/vuln/detail/CVE-2019-17195

Mitigation: Please update com.nimbusds:nimbus-jose-jwt dependency to v7.9 or newer

Answer 1 · 2019-10-29T21:14:18.000Z

Thank you @miraculix-druids -- we will ship an updated version in a future release.

Related:
AzureAD/microsoft-authentication-library-common-for-android#705

Answer 2 · 2019-10-29T22:11:06.000Z

Tracking related:

android-complete -- https://github.com/AzureAD/android-complete/issues/21
adal - #1468
msal - AzureAD/microsoft-authentication-library-for-android#816
common - AzureAD/microsoft-authentication-library-common-for-android#705
broker` - https://github.com/AzureAD/ad-accounts-for-android/issues/1182