kerb-simplekdc-1.0.1.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - kerb-simplekdc-1.0.1.jar

Path to dependency file: /hadoop-common-project/hadoop-auth-examples/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar,/home/wss-scanner/.m2/repository/com/nimbusds/nimbus-jose-jwt/9.8.1/nimbus-jose-jwt-9.8.1.jar

Vulnerabilities

CVE	Severity	CVSS	Exploit Maturity	EPSS	Dependency	Type	Fixed in (kerb-simplekdc version)	Remediation Possible**	Reachability
CVE-2023-52428	High	7.5	Not Defined	0.0%	nimbus-jose-jwt-9.8.1.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-52428

### Vulnerable Library - nimbus-jose-jwt-9.8.1.jar

Java library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)

Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt

Path to dependency file: /hadoop-common-project/hadoop-common/pom.xml

Dependency Hierarchy: - kerb-simplekdc-1.0.1.jar (Root Library) - kerb-client-1.0.1.jar - token-provider-1.0.1.jar - :x: **nimbus-jose-jwt-9.8.1.jar** (Vulnerable Library)

Found in base branch: hubspot-3.3

### Vulnerability Details

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Publish Date: 2024-02-11

URL: CVE-2023-52428

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52428

Release Date: 2024-02-11

Fix Resolution: com.nimbusds:nimbus-jose-jwt:9.37.2

jgeraigery / hadoop-555665675

kerb-simplekdc-1.0.1.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed #116

Vulnerabilities

Details