[ https://issues.apache.org/jira/browse/KAFKA-14994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Manikumar updated KAFKA-14994: ------------------------------ Fix Version/s: 3.6.0 > jose4j is vulnerable to CVE- Improper Cryptographic Algorithm > -------------------------------------------------------------- > > Key: KAFKA-14994 > URL: https://issues.apache.org/jira/browse/KAFKA-14994 > Project: Kafka > Issue Type: Bug > Affects Versions: 3.4.0 > Reporter: Gaurav Jetly > Assignee: Atul Sharma > Priority: Major > Labels: Security > Fix For: 3.6.0 > > > Jose4j has the following vulnerability with high score of 7.1. > jose4j is vulnerable to Improper Cryptographic Algorithm. The vulnerability > exists due to the way `RSA1_5` and `RSA_OAEP` is implemented, allowing an > attacker to decrypt `RSA1_5` or `RSA_OAEP` encrypted ciphertexts, and in > addition, it may be feasible to sign with affected keys. > Please help upgrade the library to latest version > Current version in use: 0.7.9 > Latest version with the fix: 0.9.3 > CVE- > - Improper Cryptographic Algorithm > - Severity: HIGH > - CVSS: 7.1 > - Disclosure Date: 07 Feb 2023 19:00PM EST > - Vulnerability Info: > https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/40398 -- This message was sent by Atlassian Jira (v8.20.10#820010)