You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Gaurav Jetly (Jira)" <ji...@apache.org> on 2023/05/12 13:35:00 UTC
[jira] [Created] (KAFKA-14994) jose4j is vulnerable to CVE- Improper Cryptographic Algorithm
Gaurav Jetly created KAFKA-14994:
------------------------------------
Summary: jose4j is vulnerable to CVE- Improper Cryptographic Algorithm
Key: KAFKA-14994
URL: https://issues.apache.org/jira/browse/KAFKA-14994
Project: Kafka
Issue Type: Bug
Affects Versions: 3.4.0
Reporter: Gaurav Jetly
Jose4j has the following vulnerability with high score of 7.1.
jose4j is vulnerable to Improper Cryptographic Algorithm. The vulnerability exists due to the way `RSA1_5` and `RSA_OAEP` is implemented, allowing an attacker to decrypt `RSA1_5` or `RSA_OAEP` encrypted ciphertexts, and in addition, it may be feasible to sign with affected keys.
Please help upgrade the library to latest version
Current version in use: 0.7.9
Latest version with the fix: 0.9.3
CVE-
- Improper Cryptographic Algorithm
- Severity: HIGH
- CVSS: 7.1
- Disclosure Date: 07 Feb 2023 19:00PM EST
- Vulnerability Info: https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/40398
--
This message was sent by Atlassian Jira
(v8.20.10#820010)