CVE-2023-52428

[mightymoogle]

Expected behavior

We expect no issues detected when .jar file is scanned with Sonatype Nexus. ApplicationInsights .jar file should include non-vulnerable library versions of Connect2id Nimbus JOSE+JWT (versions before 9.37.2 are vulnerable to CVE-2023-52428 according to https://nvd.nist.gov/vuln/detail/CVE-2023-52428).

Actual behavior

Our Sonatype Nexus detects CVE-2023-52428 in the ApplicationInsights .jar file (versions affected 3.2.0-BETA to latest 3.5.1) with root cause: applicationinsights-agent-3.5.1.jarinst/com/nimbusds/jose/crypto/PasswordBasedDecrypter.classdata[4.0-rc1, 9.37.2)

Description from CVE

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Explanation

The nimbus-jose-jwt package is vulnerable to Denial of Service (DoS) attacks. The decrypt() method in the PasswordBasedDecrypter class fails to properly validate the length of the JWE p2c header. A remote attacker can exploit this vulnerability by supplying an oversized PBES2Count value, causing the application to consume all available resources and ultimately leading to a DoS condition.

To Reproduce

Perform a Sonatype Nexus scan on the ApplicationInsights .jar file or a Docker image file that includes the ApplicationInsights .jar file.

System information

Application Insights Java 3.5.1 (GA)

Logs

None applicable

Screenshots