Skip to main content

Use of a Broken or Risky Cryptographic Algorithm


Severity Medium
Score 6.8/10


JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the "setSigningKey()" method within the "DefaultJwtParser" class and the "signWith()" method within the "DefaultJwtBuilder" class. NOTE: The vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.

  • HIGH
  • HIGH
  • NONE
  • HIGH
  • NONE

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

Advisory Timeline

  • Published