GHSA-r65j-6h5f-4f92

Source

https://github.com/advisories/GHSA-r65j-6h5f-4f92

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-r65j-6h5f-4f92/GHSA-r65j-6h5f-4f92.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r65j-6h5f-4f92

Withdrawn

2024-04-03T14:52:58Z

Published

2024-04-01T03:30:38Z

Modified

2024-04-03T15:11:09.992193Z

Severity

6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Withdrawn: JJWT improperly generates signing keys

Details

Withdrawn Advisory

This advisory has been withdrawn because it has been found to be disputed. Please see the issue here for more information.

Original Description

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class.

Database specific

{
    "nvd_published_at": "2024-04-01T02:15:07Z",
    "github_reviewed_at": "2024-04-01T16:28:49Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-327"
    ],
    "github_reviewed": true
}

References

Affected packages

Maven / io.jsonwebtoken:jjwt-impl

Package

Name: io.jsonwebtoken:jjwt-impl; View open source insights on deps.dev
Purl: pkg:maven/io.jsonwebtoken/jjwt-impl

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

0.12.5

Affected versions

0.*

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.11.0

0.11.1

0.11.2

0.11.3

0.11.4

0.11.5

0.12.0

0.12.1

0.12.2

0.12.3

0.12.4

0.12.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-r65j-6h5f-4f92/GHSA-r65j-6h5f-4f92.json"