#VU83977 Insufficient entropy in jose4j


Published: 2023-12-07

Vulnerability identifier: #VU83977

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-31582

CWE-ID: CWE-331

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jose4j
Universal components / Libraries / Libraries used by multiple products

Vendor: jose4j

Description

The vulnerability allows a remote attacker to brute-force JWT token.

The vulnerability exists due to usage of insufficient entropy when generating JWT token. A remote attacker can brute-force the JWT token and gain unauthorized access to the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jose4j: 0.1.0 - 0.9.2

External links
http://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then
http://github.com/KANIXB/JWTIssues/blob/main/jose4j%20issue.md

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Netcool Operations Insight
Multiple vulnerabilities in IBM Operations Analytics Predictive Insights
SUSE update for Maintenance update for SUSE Manager 4.3: Server, Proxy and Retail Branch Server
Insufficient entropy in IBM Business Automation Workflow
Multiple vulnerabilities in IBM Cloud Pak for Business Automation
Multiple vulnerabilities in Oracle Communications Cloud Native Core Network Repository Function
Multiple vulnerabilities in Oracle Communications Cloud Native Core Network Exposure Function
Multiple vulnerabilities in Oracle Communications Cloud Native Core Unified Data Repository
Multiple vulnerabilities in HPE Unified OSS Console Assurance Monitoring (UOCAM)
Multiple vulnerabilities in Red Hat Data Grid 8.4