JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.
History

Tue, 27 Aug 2024 19:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-04-01T00:00:00

Updated: 2024-08-27T17:59:14.397Z

Reserved: 2024-03-27T00:00:00

Link: CVE-2024-31033

cve-icon Vulnrichment

Updated: 2024-08-02T01:46:04.353Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-01T02:15:07.850

Modified: 2024-11-21T09:12:45.350

Link: CVE-2024-31033

cve-icon Redhat

No data.