[KAFKA-14994] jose4j is vulnerable to CVE- Improper Cryptographic Algorithm - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0
Fix Version/s: 3.5.0, 3.4.1
Component/s: None
Labels:
- Security

Flags:

Patch, Important

Description

Jose4j has the following vulnerability with high score of 7.1.
jose4j is vulnerable to Improper Cryptographic Algorithm. The vulnerability exists due to the way `RSA1_5` and `RSA_OAEP` is implemented, allowing an attacker to decrypt `RSA1_5` or `RSA_OAEP` encrypted ciphertexts, and in addition, it may be feasible to sign with affected keys.

Please help upgrade the library to latest version
Current version in use: 0.7.9
Latest version with the fix: 0.9.3
CVE-

Improper Cryptographic Algorithm
Severity: HIGH
CVSS: 7.1
Disclosure Date: 07 Feb 2023 19:00PM EST
Vulnerability Info: https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/40398

Attachments

Activity

People

Assignee:: Atul Sharma

Reporter:: Gaurav Jetly

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 12/May/23 13:34

Updated:: 13/May/23 11:40

Resolved:: 13/May/23 10:21