Описание
Withdrawn: JJWT improperly generates signing keys
Withdrawn Advisory
This advisory has been withdrawn because it has been found to be disputed. Please see the issue here for more information.
Original Description
JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2024-31033
- https://github.com/jwtk/jjwt/issues/930#issuecomment-2032699358
- https://github.com/2308652512/JJWT_BUG
- https://github.com/jwtk/jjwt/blob/26948610fbef81eba867cbaad54b516d1874c70a/impl/src/main/java/io/jsonwebtoken/impl/DefaultJwtParserBuilder.java#L242
- https://www.viralpatel.net/java-create-validate-jwt-token
Пакеты
io.jsonwebtoken:jjwt-impl
<= 0.12.5
Отсутствует
Связанные уязвимости
JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.