[jira] [Updated] (KAFKA-14994) jose4j is vulnerable to CVE- Improper Cryptographic Algorithm

Manikumar (Jira) Sat, 13 May 2023 04:41:07 -0700


     [ 
https://issues.apache.org/jira/browse/KAFKA-14994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Manikumar updated KAFKA-14994:
------------------------------
    Fix Version/s: 3.5.0
                   3.4.1
                       (was: 3.6.0)

>  jose4j is vulnerable to CVE- Improper Cryptographic Algorithm
> --------------------------------------------------------------
>
>                 Key: KAFKA-14994
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14994
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 3.4.0
>            Reporter: Gaurav Jetly
>            Assignee: Atul Sharma
>            Priority: Major
>              Labels: Security
>             Fix For: 3.5.0, 3.4.1
>
>
> Jose4j has the following vulnerability with high score of 7.1. 
> jose4j is vulnerable to Improper Cryptographic Algorithm. The vulnerability 
> exists due to the way `RSA1_5` and `RSA_OAEP` is implemented, allowing an 
> attacker to decrypt `RSA1_5` or `RSA_OAEP` encrypted ciphertexts, and in 
> addition, it may be feasible to sign with affected keys.
> Please help upgrade the library to latest version
> Current version in use: 0.7.9
> Latest version with the fix: 0.9.3
> CVE-
> - Improper Cryptographic Algorithm
> - Severity: HIGH
> - CVSS: 7.1
> - Disclosure Date: 07 Feb 2023 19:00PM EST
> - Vulnerability Info: 
> https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/40398



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (KAFKA-14994) jose4j is vulnerable to CVE- Improper Cryptographic Algorithm

Reply via email to