You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Atul Sharma (Jira)" <ji...@apache.org> on 2023/05/13 10:22:00 UTC

[jira] [Resolved] (KAFKA-14994) jose4j is vulnerable to CVE- Improper Cryptographic Algorithm

     [ https://issues.apache.org/jira/browse/KAFKA-14994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Atul Sharma resolved KAFKA-14994.
---------------------------------
    Resolution: Fixed

>  jose4j is vulnerable to CVE- Improper Cryptographic Algorithm
> --------------------------------------------------------------
>
>                 Key: KAFKA-14994
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14994
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 3.4.0
>            Reporter: Gaurav Jetly
>            Assignee: Atul Sharma
>            Priority: Major
>              Labels: Security
>             Fix For: 3.6.0
>
>
> Jose4j has the following vulnerability with high score of 7.1. 
> jose4j is vulnerable to Improper Cryptographic Algorithm. The vulnerability exists due to the way `RSA1_5` and `RSA_OAEP` is implemented, allowing an attacker to decrypt `RSA1_5` or `RSA_OAEP` encrypted ciphertexts, and in addition, it may be feasible to sign with affected keys.
> Please help upgrade the library to latest version
> Current version in use: 0.7.9
> Latest version with the fix: 0.9.3
> CVE-
> - Improper Cryptographic Algorithm
> - Severity: HIGH
> - CVSS: 7.1
> - Disclosure Date: 07 Feb 2023 19:00PM EST
> - Vulnerability Info: https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/40398



--
This message was sent by Atlassian Jira
(v8.20.10#820010)