You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Gaurav Jetly (Jira)" <ji...@apache.org> on 2023/05/12 13:35:00 UTC

[jira] [Created] (KAFKA-14994) jose4j is vulnerable to CVE- Improper Cryptographic Algorithm

Gaurav Jetly created KAFKA-14994:
------------------------------------

             Summary:  jose4j is vulnerable to CVE- Improper Cryptographic Algorithm
                 Key: KAFKA-14994
                 URL: https://issues.apache.org/jira/browse/KAFKA-14994
             Project: Kafka
          Issue Type: Bug
    Affects Versions: 3.4.0
            Reporter: Gaurav Jetly


Jose4j has the following vulnerability with high score of 7.1. 
jose4j is vulnerable to Improper Cryptographic Algorithm. The vulnerability exists due to the way `RSA1_5` and `RSA_OAEP` is implemented, allowing an attacker to decrypt `RSA1_5` or `RSA_OAEP` encrypted ciphertexts, and in addition, it may be feasible to sign with affected keys.

Please help upgrade the library to latest version
Current version in use: 0.7.9
Latest version with the fix: 0.9.3
CVE-
- Improper Cryptographic Algorithm
- Severity: HIGH
- CVSS: 7.1
- Disclosure Date: 07 Feb 2023 19:00PM EST
- Vulnerability Info: https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/40398



--
This message was sent by Atlassian Jira
(v8.20.10#820010)