ApplicationInsights-Java
ApplicationInsights-Java copied to clipboard
CVE-2023-52428
Expected behavior
We expect no issues detected when .jar file is scanned with Sonatype Nexus. ApplicationInsights .jar file should include non-vulnerable library versions of Connect2id Nimbus JOSE+JWT (versions before 9.37.2 are vulnerable to CVE-2023-52428 according to https://nvd.nist.gov/vuln/detail/CVE-2023-52428).
Actual behavior
Our Sonatype Nexus detects CVE-2023-52428 in the ApplicationInsights .jar file (versions affected 3.2.0-BETA to latest 3.5.1) with root cause:
applicationinsights-agent-3.5.1.jarinst/com/nimbusds/jose/crypto/PasswordBasedDecrypter.classdata[4.0-rc1, 9.37.2)
Description from CVE
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.
Explanation
The nimbus-jose-jwt package is vulnerable to Denial of Service (DoS) attacks. The decrypt() method in the PasswordBasedDecrypter class fails to properly validate the length of the JWE p2c header. A remote attacker can exploit this vulnerability by supplying an oversized PBES2Count value, causing the application to consume all available resources and ultimately leading to a DoS condition.
To Reproduce
Perform a Sonatype Nexus scan on the ApplicationInsights .jar file or a Docker image file that includes the ApplicationInsights .jar file.
System information
Application Insights Java 3.5.1 (GA)
Logs
None applicable