You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We expect no issues detected when .jar file is scanned with Sonatype Nexus. ApplicationInsights .jar file should include non-vulnerable library versions of Connect2id Nimbus JOSE+JWT (versions before 9.37.2 are vulnerable to CVE-2023-52428 according to https://nvd.nist.gov/vuln/detail/CVE-2023-52428).
Actual behavior
Our Sonatype Nexus detects CVE-2023-52428 in the ApplicationInsights .jar file (versions affected 3.2.0-BETA to latest 3.5.1) with root cause: applicationinsights-agent-3.5.1.jarinst/com/nimbusds/jose/crypto/PasswordBasedDecrypter.classdata[4.0-rc1, 9.37.2)
Description from CVE
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
Explanation
The nimbus-jose-jwt package is vulnerable to Denial of Service (DoS) attacks. The decrypt() method in the PasswordBasedDecrypter class fails to properly validate the length of the JWE p2c header. A remote attacker can exploit this vulnerability by supplying an oversized PBES2Count value, causing the application to consume all available resources and ultimately leading to a DoS condition.
To Reproduce
Perform a Sonatype Nexus scan on the ApplicationInsights .jar file or a Docker image file that includes the ApplicationInsights .jar file.
System information
Application Insights Java 3.5.1 (GA)
Logs
None applicable
Screenshots
The text was updated successfully, but these errors were encountered:
Whether you want to upgrade now or wait for the issue to be analyzed is fully up to you. We are not aware if the vulnerability actually affects ApplicationInsights directly.
Expected behavior
We expect no issues detected when .jar file is scanned with Sonatype Nexus. ApplicationInsights .jar file should include non-vulnerable library versions of Connect2id Nimbus JOSE+JWT (versions before 9.37.2 are vulnerable to CVE-2023-52428 according to https://nvd.nist.gov/vuln/detail/CVE-2023-52428).
Actual behavior
Our Sonatype Nexus detects CVE-2023-52428 in the ApplicationInsights .jar file (versions affected 3.2.0-BETA to latest 3.5.1) with root cause:
applicationinsights-agent-3.5.1.jarinst/com/nimbusds/jose/crypto/PasswordBasedDecrypter.classdata[4.0-rc1, 9.37.2)
Description from CVE
Explanation
To Reproduce
Perform a Sonatype Nexus scan on the ApplicationInsights .jar file or a Docker image file that includes the ApplicationInsights .jar file.
System information
Application Insights Java 3.5.1 (GA)
Logs
None applicable
Screenshots
The text was updated successfully, but these errors were encountered: