JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.
CVSS
No CVSS.
References
Configurations
No configuration.
History
03 Apr 2024, 03:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary |
|
|
Summary | (en) JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date. |
01 Apr 2024, 02:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-04-01 02:15
Updated : 2024-05-17 02:38
NVD link : CVE-2024-31033
Mitre link : CVE-2024-31033
CVE.ORG link : CVE-2024-31033
JSON object : View
Products Affected
No product.
CWE
No CWE.