Описание
jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim of "do not meet recommended security standards" does not reflect guidance in a final publication.
A flaw was found in Jose, where the library uses a weak encryption algorithm, allowing an attacker to decrypt sensitive data. A network-based attacker can exploit this vulnerability without authentication. Successful exploitation results in the exposure of confidential information, potentially leading to a significant impact on data confidentiality. This weakness occurs from the use of an insecure cryptographic construction.
Отчет
The severity of this vulnerability is rated Moderate, as it does not impact system availability. The effects are confined to the application layer, without compromising the underlying system stability.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | cryostat/cryostat-openshift-console-plugin-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Affected | ||
| OpenShift Serverless | openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8 | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-rhel9 | Affected | ||
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Affected | ||
| Red Hat Developer Hub | rhdh/rhdh-rhel9-operator | Not affected | ||
| Red Hat Enterprise Linux 10 | jose | Not affected | ||
| Red Hat Enterprise Linux 7 | jose | Not affected | ||
| Red Hat Enterprise Linux 8 | jose | Not affected |
Показывать по
Дополнительная информация
Статус:
5.6 Medium
CVSS3
Связанные уязвимости
jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim of "do not meet recommended security standards" does not reflect guidance in a final publication.
jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim of "do not meet recommended security standards" does not reflect guidance in a final publication.
jose v6.0.10 was discovered to contain weak encryption. NOTE: this is ...
jose v6.0.10 was discovered to contain weak encryption.
5.6 Medium
CVSS3