Main Vulnerability Database Vulnerabilities #VU78844

Use of a broken or risky cryptographic algorithm in cjose - CVE-2023-37464

Published: August 1, 2023

Vulnerability identifier: #VU78844

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-37464

CWE-ID: CWE-327

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Cisco Systems, Inc

Affected software:
cjose

Detailed vulnerability description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error in the AES GCM decryption routine that uses the Tag length from the actual Authentication Tag provided in the JWE. A remote attacker can provide a truncated Authentication Tag and to modify the JWE accordingly.

How to mitigate CVE-2023-37464

Install updates from vendor's website.

Sources

https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj
https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e
https://datatracker.ietf.org/doc/html/rfc7518#section-4.7
https://github.com/OpenIDC/cjose/releases/tag/v0.6.2.2

Use of a broken or risky cryptographic algorithm in cjose - CVE-2023-37464

Detailed vulnerability description

How to mitigate CVE-2023-37464

Sources

Please verify you're human