Описание
jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.
A flaw was found in Jose4J which allows a malicious user or internal person to erroneously set a low iteration count of 1000 or less to secure the Json Web Token. This could apply to lack of entropy and leave the system less secure.
Отчет
This flaw would require manually setting of the number of iterations under 1000 for Json Web Encryption, therefore, a malicious user would need previous access to modify it. Also, a user would still be able to set the variable incorrectly and make the environment less secure for JWE. This is currently rated as a moderate impact.
Меры по смягчению последствий
No mitigation is currently available for this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | jenkins-2-plugins | Not affected | ||
| OpenShift Serverless | jose4j | Will not fix | ||
| Red Hat AMQ Broker 7 | jose4j | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | jose4j | Will not fix | ||
| Red Hat build of Apicurio Registry 2 | jose4j | Affected | ||
| Red Hat build of Debezium 2 | jose4j | Will not fix | ||
| Red Hat build of Quarkus | org.bitbucket.b_c/jose4j | Not affected | ||
| Red Hat Fuse 7 | jose4j | Will not fix | ||
| Red Hat Integration Camel K 1 | jose4j | Will not fix | ||
| Red Hat JBoss Data Grid 7 | jose4j | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS3
Связанные уязвимости
jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.
jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.
jose4j before v0.9.3 allows attackers to set a low iteration count of ...
Уязвимость JWT-библиотеки Jose4j, связанная с использованием алгоритма, обеспечивающего недостаточную энтропию, позволяющая нарушителю обойти ограничения безопасности
EPSS
6.8 Medium
CVSS3