Main Vulnerability Database Vulnerabilities #VU78844

Use of a broken or risky cryptographic algorithm in cjose - CVE-2023-37464

Published: August 1, 2023

Vulnerability identifier: #VU78844

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-37464

CWE-ID: CWE-327

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
cjose

Software vendor:
Cisco Systems, Inc

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error in the AES GCM decryption routine that uses the Tag length from the actual Authentication Tag provided in the JWE. A remote attacker can provide a truncated Authentication Tag and to modify the JWE accordingly.

Remediation

Install updates from vendor's website.

External links

https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj
https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e
https://datatracker.ietf.org/doc/html/rfc7518#section-4.7
https://github.com/OpenIDC/cjose/releases/tag/v0.6.2.2

Use of a broken or risky cryptographic algorithm in cjose - CVE-2023-37464

Description

Remediation

External links

Please verify you're human