AZL-27659

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-27659.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-27659

Upstream

CVE-2023-37464

Published

2023-07-14T21:15:08Z

Modified

2026-04-21T04:24:29.604536Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

CVE-2023-37464 affecting package cjose 0.6.1-6

Details

OpenIDC/cjose is a C library implementing the Javascript Object Signing and Encryption (JOSE). The AES GCM decryption routine incorrectly uses the Tag length from the actual Authentication Tag provided in the JWE. The spec says that a fixed length of 16 octets must be applied. Therefore this bug allows an attacker to provide a truncated Authentication Tag and to modify the JWE accordingly. Users should upgrade to a version >= 0.6.2.2. Users unable to upgrade should avoid using AES GCM encryption and replace it with another encryption algorithm (e.g. AES CBC).

References

https://nvd.nist.gov/vuln/detail/CVE-2023-37464

Affected packages

Azure Linux:2 / cjose

Package

Name: cjose
Purl: pkg:rpm/azure-linux/cjose

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.6.1-6

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-27659.json"