{
  "threat_severity" : "Moderate",
  "public_date" : "2019-10-15T00:00:00Z",
  "bugzilla" : {
    "description" : "nimbus-jose-jwt: Uncaught exceptions while parsing a JWT",
    "id" : "1764791",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1764791"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-248",
  "details" : [ "Connect2id Nimbus JOSE+JWT before v7.9 can throw various uncaught exceptions while parsing a JWT, which could result in an application crash (potential information disclosure) or a potential authentication bypass.", "A flaw was found in Connect2id Nimbus JOSE+JWT prior to version 7.9. While processing JSON web tokens (JWT), nimbus-jose-jwt can throw various uncaught exceptions resulting in an application crash, information disclosure, or authentication bypass. The highest threat from this vulnerability is to data confidentiality and system availability." ],
  "statement" : "In Red Hat Virtualization 4.2, nimbus-jose-jwt was bundled in the rhvm-dependencies package. In Red Hat Virtualization 4.3, nimbus-jose-jwt was made available as a separate package and no longer bundled in rhvm-dependencies. Thus, rhvm-dependencies only contained this vulnerability in the 4.2 EUS stream, the 4.3 version of rhvm-dependencies is not affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2020-04-02T00:00:00Z",
    "advisory" : "RHSA-2020:1308",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "apache-commons-beanutils-0:1.8.3-15.el7_7"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.3",
    "release_date" : "2020-04-02T00:00:00Z",
    "advisory" : "RHSA-2020:1308",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.3",
    "package" : "org.ovirt.engine-root-0:4.3.9.3-1"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.3",
    "release_date" : "2020-04-02T00:00:00Z",
    "advisory" : "RHSA-2020:1308",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.3",
    "package" : "ovirt-engine-extension-aaa-misc-0:1.0.4-1.el7ev"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.3",
    "release_date" : "2020-04-02T00:00:00Z",
    "advisory" : "RHSA-2020:1308",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.3",
    "package" : "ovirt-fast-forward-upgrade-0:1.0.0-17.el7ev"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.3",
    "release_date" : "2020-04-02T00:00:00Z",
    "advisory" : "RHSA-2020:1308",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.3",
    "package" : "rhvm-dependencies-0:4.3.2-1.el7ev"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-17195\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17195" ],
  "name" : "CVE-2019-17195",
  "csaw" : false
}