{"url":"http://public2.vulnerablecode.io/api/packages/416521?format=json","purl":"pkg:maven/com.nimbusds/nimbus-jose-jwt@2.18","type":"maven","namespace":"com.nimbusds","name":"nimbus-jose-jwt","version":"2.18","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"4.39","latest_non_vulnerable_version":"10.0.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209973?format=json","vulnerability_id":"VCID-gp87-8qee-pubk","summary":"Improper Verification of Cryptographic Signature in Nimbus JOSE+JWT","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12974","reference_id":"","reference_type":"","scores":[{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.3399","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12974"},{"reference_url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f3a7a801f0c6b078899fed9226368eb7b44e2b2f"},{"reference_url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/217/explicit-check-for-ec-public-key-on-curve"},{"reference_url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt"},{"reference_url":"https://github.com/felx/nimbus-jose-jwt","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/felx/nimbus-jose-jwt"},{"reference_url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12974","reference_id":"CVE-2017-12974","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12974"},{"reference_url":"https://github.com/advisories/GHSA-pfv2-37f7-9m6w","reference_id":"GHSA-pfv2-37f7-9m6w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pfv2-37f7-9m6w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21925?format=json","purl":"pkg:maven/com.nimbusds/nimbus-jose-jwt@4.36","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-mds6-xacq-3ff7"},{"vulnerability":"VCID-zj3e-k38f-87d4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.nimbusds/nimbus-jose-jwt@4.36"}],"aliases":["CVE-2017-12974","GHSA-pfv2-37f7-9m6w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gp87-8qee-pubk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210126?format=json","vulnerability_id":"VCID-mds6-xacq-3ff7","summary":"Nimbus JOSE+JWT vulnerable to padding oracle attack","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12973","reference_id":"","reference_type":"","scores":[{"value":"0.00332","scoring_system":"epss","scoring_elements":"0.56469","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12973"},{"reference_url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/6a29f10f723f406eb25555f55842c59a43a38912","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/6a29f10f723f406eb25555f55842c59a43a38912"},{"reference_url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/223/aescbc-return-immediately-on-invalid-hmac","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/223/aescbc-return-immediately-on-invalid-hmac"},{"reference_url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt","reference_id":"","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12973","reference_id":"CVE-2017-12973","reference_type":"","scores":[{"value":"3.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12973"},{"reference_url":"https://github.com/advisories/GHSA-jfmq-4g4m-99rh","reference_id":"GHSA-jfmq-4g4m-99rh","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jfmq-4g4m-99rh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21924?format=json","purl":"pkg:maven/com.nimbusds/nimbus-jose-jwt@4.39","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.nimbusds/nimbus-jose-jwt@4.39"}],"aliases":["CVE-2017-12973","GHSA-jfmq-4g4m-99rh"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mds6-xacq-3ff7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/209972?format=json","vulnerability_id":"VCID-zj3e-k38f-87d4","summary":"Nimbus JOSE+JWT missing overflow check","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12972","reference_id":"","reference_type":"","scores":[{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.3517","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2017-12972"},{"reference_url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/0d2bd649ea386539220d4facfe1f65eb1dadb86c"},{"reference_url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/224/byte-to-bit-overflow-in-cbc"},{"reference_url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt"},{"reference_url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12972","reference_id":"CVE-2017-12972","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12972"},{"reference_url":"https://github.com/advisories/GHSA-2qp9-wg27-9pcv","reference_id":"GHSA-2qp9-wg27-9pcv","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2qp9-wg27-9pcv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/21924?format=json","purl":"pkg:maven/com.nimbusds/nimbus-jose-jwt@4.39","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.nimbusds/nimbus-jose-jwt@4.39"}],"aliases":["CVE-2017-12972","GHSA-2qp9-wg27-9pcv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zj3e-k38f-87d4"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/com.nimbusds/nimbus-jose-jwt@2.18"}